FEDERAL BUREAU OF INVESTIGATION 


FOI/PA 


DELETED PAGE INFORMATION SHEET 


FOI/PA# 1353814-0 


Total Deleted Page(s) = 4 

Page 9 ~ Referral/Consult; 
Page 10 ~ Referral/Consult; 
Page 26 ~ Referral/Consult; 
Page 27 ~ Referral/Consult; 


XXXXXXXXXXXXXXXXXXXXXXXX 


x Deleted Page(s) x 
x No Duplication Fee X 
x For this Page x 


XXXXXXXXXXXXXXXXXXXXXXXX_ 


DECLASSIFIED BY: NSICG C87W44B73 ” 
ar one25-20%8 [ serian 120 frees 


fb TE 
» Orricia. Recorp | 
FD-1087 (Rev. 5-8-10) 
SESRET//NOPERIT 
FEDERAL BUREAU OF INVESTIGATION 
Collected Item Log 


Event Title: {U)}x{ Midyear Exam Date: 10/09/2015 


coved syd : 
Approved By bé 

b7c 
prafted By:[ bre 


cave 30: ] ty rr oven bin 


MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Classify On: 20251 


Full Investigation Initiated: 07/10/2015 


collected From!) dxf] ve 


1100 NY Avenue NW Suite 300 b7c 
Washington, District Of Columbia 20005 


Receipt Given?: No 


Holding Office: WASHINGTON FIELD 


Details: No Details Provided 
Item Type Description 
1B Digital (0) 


Js Server 882 neg caer barcode 


C8470FC11M70024, Pin b6é 
Collected On: 10/06/2015 b7c 
Seizing Individual bIE 
Collected By: 

Location Area: NA 

Specific Location: NA 

Device Type: Computer 

Number of Devices Collected: 1 


USESRET/ HH@FORN- 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and i 
contents are not to be distributed outside your agency. 


HRC-8643 


w SECRET / /NOFeRN- 


Title: XX) Midyear Exam 
res [} 20/09/2015 


oe 


“SReRET//MOPeRN 


| HRC-8644 


b3 
b7E 


b3 
b7E 


DECLASSIFIED BY: NSICG c87w44B73 [:-—__ ——~ +} 2 
ial 
OW 01-25-2018 Serial lll 


FD-1087 (Rev. 5-8-10) 
_SECRET / /NOFORN 
FEDERAL BUREAU OF INVESTIGATION 


Collected Item Log 


Event Title: 1) MidYear Exam Date: 10/09/2015 


ef b6 
b7c 


Case ID #: | py 2S/ AEP MIDYEAR EXAM; 


MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Full Investigation Initiated: 07/10/2015 


(0) 
Collected From: PS Katherine Turner 
Williams & Connolly LLP 
725 12th Street NW 
Washington, District Of Columbia 


Receipt Given?: No 


Holding Office: WASHINGTON FIELD 


Details: No Details Provided 

Item Type Description 

1B Digital jyj}-}&{ 1 USB Drive, 128 GB, Black in Color, s/N[__] b6 
Collected On: 10/08/2015 BIC 


Seizing Individual ba 


Collected By: 

Location Area: Collected via Consent from Equnix 
Specific Location: 275 Hartz Way, Secaucus, NJ 
Device Type: USB Micro Storage Device (thumb drive) 
Number of Devices Collected: 1 


‘SbexEr/ Averenn- 


‘This document contains neither recommendations nor conclusions of the FBI. It is the property of the FB] and is loaned to your agency; it and it 
contents are not to be distributed outside your agency. 


HRC-8645 


b7E 
SECRET / /NOFORN- 


Title i,dYear Exam 
Re: 10/09/2015 BS 


b7E 


1B Digital {0} 2% 1 cisco NAS, Model NSS324, S/N QNP14150082, MAC 
Collected on: 10/08/2015 bie 


Seizing Individua Bie 
Collected By: 

Location Area: Collected via Consent from Equnix 
Specific Location: 275 Hartz Way, Secaucus, NJ 
Device Type: Hard Drive 

Serial Number: QNP14150082 

Number of Devices Collected: 1 


1B Digital {0} > <0) 1 Dell PowerEdge R260 Server, Service Tag GXJWFXL 
Service Code[__________] Mfg pate b6 
Collected On: 10/08 Bic 
Seizing Individual: sites 
Collected By: 
Location Area: Collected via Consent from Equinix 
Specific Location: 275 Hartz Way, Secaucus, NJ 
Device Type: Hard Drive 
Number of Devices Collected: 1 


o¢ 


HRC-8646 


DECLASSIFIED BY: NSICG C87W44B73 —— : 
ON 01-25-2018 Serial 112 


FD-1087 (Rev. 5-8-L0) 
“SECRET/ ANOFORNT 


FEDERAL BUREAU OF INVESTIGATION 
Collected Item Log 


(0) 
Event Title: $) Midyear Exam Date: 10/19/2015 


reproves oy: : 


b6 


b7c 
Case ID ) (I) 2S/ANE} MIDYEAR EXAM; 


MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Full Investigation Initiated: 07/10/2015 
(0) 
Collected From: }&{ Partner Katherine M. Turner 
Williams and Connolly, LLP 


Receipt Given?: No 
Holding Office: WASHINGTON FIELD 
Details: No Details Provided 


Item Type Description 

1B Digital {J} 2#Sq Black Berry 8310, IMEI 359158027424467 
Collected On: 10/16/2015 
Seizing Individual: 
Collected By: 
Location Area: NA 
Specific Location: NA 
Device Type: Cell Phone 
Number of Devices Collected: 1 


b6 
b7C 


SESRET//NOFORN- 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its 
contents are not to be distributed outside your agency. 


HRC-8647 


(0) 


_ SECRET / /NOFORN- 


Title: Yj Midyear Exam 


Re: 


1B Digital 


1B Digital 


o¢ 


10/19/2015 


(0) 0%) Black Berry 8700G, IMEI 3576460005545990 


{0} 


Collected On: 10/16/2015 
Seizing Individual: 
Collected By: 
Location Area: NA 

Specific Location: NA 

Device Type: Cell Phone 

Number of Devices Collected: 1 


28) 32 GB Apple ipad, s/n[ =i 


Collected On: 10/16/2015 
Seizing Indivi 

Collected By: 

Location Area: 

Specific Location: NA 

Device Type: Cell Phone 
Number of Devices Collected: 1 


USEGRET/ /NOPORML 


b3 
b7E 


b3 
b7E 


b6é 
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b6 
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DECLASSIFIED BY: NSICG C87W44B73 —— — =] Serial 1z1 
OW 01-25-2018 


FD-1057 (Rev. 5-8-10) 
"SECRET / /NOFORN- 
FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U/APe8e) Chain of Custody for 1B3 Date: 11/23/2015 


From: WASHINGTON FIELD 
WF-CI13 


b3 


b7C 


Case ID #[ sd (0) 28/7 Ate} MIDYEAR EXAM; 


MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//AP@86+ Document the status of the chain of custody for 
1B3. 


Classify On: 2040 


Full Investigation Initiated: 07/10/2015 


Reference:[ =| Serial 56 b3 
b7E 


Details: 


(U//FOUS) As documented in the referenced serial, on August 12, 
2015 the FBI obtained a Dell Poweredge 2900, Gray Color, S/N G842PC1 
from the custody of Platte River Networks and entered it into evidenc 
as item 1B3 of the captioned investigation. The item was directly 
transported to the FBI Operational Technolo Division (OTD) the same 
day. At 12:02 PM on October 20, 2015, Y eaeeerarenss SE p ae 
1B3 from OTD where he discovered the original chain of custody was 
missing. s___|transported 1B3 to the Washington Field Office 
and placed it into secure storage. This communication documents the 


SECRET / AVOPORN- 


HRC-8651 


b7E 
‘SEORET/ /NOFORN- 


Title: (U//#680} Chain of Custody for 1B3 


Re: 11/23/2015 b3 
b7E 


loss of the original chain of custody and the creation of a new chai 


of custody beginning with saL____on October 20, 2015. b6é 
b7C 


o¢ 


DSECRET//NOPORI 


HRC-8652 


DECLASSIFIED BY: NSICG c87w44B73 ey F 
ON 01-25-2018 Serial 122 


FD-1087a (Rev. 5-8-10) 
“SECRET/7/NOFORN 
FEDERAL BUREAU OF INVESTIGATION 
Evidence Entry 
Event Title: (U) MIDYEAR EXAM Date: 11/27/2015 
¥ b6é 
b7c 
Case ID Se | (0) 2s¢ AB} MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 
Derive 
Sources 
ssify On: 20 
Full Investigation Initiated: 07/10/2015 
Collected By: Missing on Missing 
Collected From: WILMER HALE 
1875 PENNSYLVANIA AVE NW 
WASHINGTON, District Of Columbia 
Receipt Given?: No 
Holding Office: WASHINGTON FIELD 
Item Type Description 
1B Digital (U) ONE (1) WESTERN DIGITAL MY PASSPORT ULTRA EXTERNAL 
HARD DRIVE WITH SERIAL NUMBER WXG1AA3M2130 
Collected On: 11/25/2015 
Seizing Individual: b6 
Located By: bIc 
Location Area: 1875 PENNSYLVANIA AVE NW 
Specific Location: 1875 PENNSYLVANIA AVE NW 
Device Type: Portable Hard Drive 
Number of Devices Collected: 1 
(0) 
SSECRET//NOFORN- 


HRC-8653 


b7E 
USECRET//HOPORN- 


Title: (U) MIDYEAR EXAM 
b7E 
oo 


USEGRET/ /NOFORN- 


HRC-8654 


fam oeas |) © sersai 12s 
BEREIN IS UNCLASSIFIED 
DATE 01-25-2018 BY C87W44B73 ADG 

SECRET//NOFORN 


FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U//F6é8e) Attorney Correspondence Date: 12/04/2015 


From: WASHINGTON FIELD 
WF-C1I13 


contact: [OO ] = 


b6 


b7c 


Case ID af | {U)-€/ AB) MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 


UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//?f686) To document the submission of a FD-340 to the 1 
sub-file section of the captioned case file. 


Full Investigation Initiated: 07/10/2015 


Enclosure(s): Enclosed are the following items: 

(U//BO8@) 10/28/2015 Letter from DOJ to Wilmer Hale 

(U//Pe8e) 10/16/2015 Letter from Williams and Connolly to DOJ 
(U//FO8e} 10/14/2015 Letter from Williams and Connolly to DOJ 
(U//#e88) 10/7/2015 Letter from Latham and Watkins to DOJ 
(U//PO8E) 10/4/2015 Letter from DOJ to Williams and Connolly 

. (U//APo8e) 10/4/2015 Letter from DOJ to Williams and Connolly, an 
Latham and Watkins 

7. (U//#688) 10/2/2015 Letter from Williams and Connolly to DoJ 

1 (U//Pe8e) 10/1/2015 Letter from Williams and Connolly to DOJ 

9. (U//Be80) Two 9/25/2015 Letters from Williams and Connolly to DOJ 


DAaoekwne 


Details: 


TSEGRET/ /NOFORN- 


HRC-8655 


( Ferial 123 b3 


b7E 
SECRET / /NeFORT 
Title: (U/ Aee8e) Attorney Correspondence 
Re: [.__———_] 12/04/2015 b3 
b7E 


(U//PEUO) This communication servers to document the submission of a 
FD-340 (1A) to the 1A sub-file of the captioned case. 


+ 


TSEERET/ /NOFORN- 


HRC-8656 


ALL FBI INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED//Fe8e- 


DATE 01-25-2018 BY C87W44B73 NSICG : 
physical 1A/1C Cover Sheet for Serial Export 


Created From: ee | ee 
b7E 


Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//PE8e) Attorney 

correspondence 
Acquired By: b6 
Acquired On: 2015-12-02 pic 
Attachment: (U//FE8O) 10/28/2015 


Letter from DOJ to 
Wilmer Hale 


HRC-8657 


ALL FBI INFORMATION CONTAINED 
BEREIN IS UNCLASSIFIED UNCLASSIFIED//Fote- 
DATE 01-25-2018 BY Ca7W44B73 WSICC 

physical 1A/1C Cover Sheet for Serial Export 


Created From: Cc bs 


Serial 123 Ris 
Package: 1A43 
Stored Location: None 
Summary: (U//Fe8e} Attorney 

correspondence 
Acquired By: ee 
Acquired On: 2015-12-02 
Attachment: (U//FOUO) 10/16/2015 


Letter from Williams and 
Connolly to DOJ 


HRC-8658 


ALL FBI INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED/ /F6U00 


DATE 01-25-2018 BY C87W44B73 NSICG = 
enysical 1A/1C Cover Sheet for Serial Export 


Created From: ae Pe 
b7E 
Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//PE8S) Attorney 
correspondence 
Acquired By: ee vs 
Acquired On: 2015-12-02 pic 
Attachment: (U//FOBS) 10/14/2015 


Letter from Williams and 
Connolly to DOJ 


HRC-8659 


ALL FBI INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED//Fe8e 
DATE 01-25-2018 BY C87W44B73 NSICG 

physical 1A/1C Cover Sheet for Serial Export 


b3 
created Prom [= aaol Xs 


Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//Fe8e) Attorney 

correspondence 
Acquired By: _ es | 
Acquired On: 2015-12-02 pie 
Attachment: (U//FO8e} 10/7/2015 


Letter from Latham and 
Watkins to DOJ 


HRC-8660 


ALL FBI INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED//FOUO 
DATE 01-25-2018 BY C87W44B73 NSICG 

Physical 1A/1C Cover Sheet for Serial Export 


created From: Cs = 


Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//FO8S) Attorney 
correspondence 
oguized By: ee ve 
Acquired On: 2015-12-02 
Attachment: (U//FeBe} 10/4/2015 


Letter from DOJ to 
Williams and Connolly 


HRC-8661 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED/ /EOuve 


DATE 01-25-2018 BY C87W44B73 NSICG 
rnysical 1A/1C Cover Sheet for Serial Export 


Created From: 20 


Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//Fe8O) Attorney 
correspondence 
Acquired By: 7 
Acquired On: 2015-12-02 
Attachment: (U//PO8S) 10/4/2015 


Letter from DOJ to 
Williams and Connolly, 
and Latham and Watkins 


b3 
b7E 


b6é 
b7C 


HRC-8662 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED//F6U0 


DATE 01-25-2018 BY C87W44B73 NSICG 3 
bnysical 1A/1C Cover Sheet for Serial Export 


Created From: Co) ea 
b7E 


Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//Fe8e} Attorney 
correspondence 
saipilned’ eee < 
Acquired On: 2015-12-02 
Attachment: (U//FORS) 10/2/2015 


Letter from Williams and 
Connolly to DOJ 


HRC-8663 


ALL FBI INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED/ /PEese- 


DATE 01-25-2018 BY C87W44B73 NSICG F 
ruysical 1A/1C Cover Sheet for Serial Export 


Created From: | 3 
b7E 


Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//FE8S) Attorney 

correspondence 
Acquired By: b6 
Acquired on: 2015-12-02 bic 
Attachment: (U//FE88) 10/1/2015 


Letter from Williams and 
Connolly to DOJ 


HRC-8664 


ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFIED UNCLASSIFIED/ /FOUo 


DATE 01-25-2018 BY C87W44B73 WSICG 4 
rnysical 1A/1C Cover Sheet for Serial Export 


Created Prom: a = 


Serial 123 
Package: 1A43 
Stored Location: None 
Summary: (U//#e8e) Attorney 
correspondence 
Aoguized By: b= ve 
Acquired On: 2015-12-02 
Attachment: (U/ APOBE) Two 9/25/2015 


Letters from Williams 
and Connolly to DOJ 


HRC-8665 


ALL FBI INFORMATION CONTAINED . 
Benein re oncassitzan a 
DATE 01-25-2018 BY C87W44B73 NSICG 
risrivor UNeY. J°0"1Vy 
DBSEERET/ /NOFORN- 
FEDERAL BUREAU OF INVESTIGATION 
Electronic Communication 


Title: (U//F8S) Liaison Contacts Date: 


From: WASHINGTON FIELD 
WF-CI13 


case ad) Arte mrDVEAR XA; 


MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER 


Synopsis: (U//£E86) To document liaison contacts encountered 
investigation. 


Full Investigation Initiated: 07/10/2015 


Details: 


(U/APe8e} During the course of the captioned investigation, CI-13 


had liaison contact with the departments and agencies below. 


Central Intelligence Agency 
Department of Defense 

Department of Energy 

Department of Homeland Security 
Department of Justice 

Department of State 

Department of Treasury 

Drug Enforcement Agency 

Executive Office of the President 


USESRET/ /NOFORN. 


08/24/2 


(SIM) 


auring 


16 


b3 
b6 
b7c 
bIE 


HRC-8668 


[SEGRET/ /NOFORN. 


Title: (U//F686) Liaison Contacts 


Re: 


o¢ 


08/24/2016 


National Aeronautics and Space Administration 
National Geospatial Agency 

National Reconnaissance Office 

National Security Agency 

National Security Council 

Office of Professional Management 

Office of the Director of National Intelligence 
United States Secret Service 
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CLASSIFIED BY: NSICG J76J18Te8O 


N- 1.4 (C,D) 
e@ IECLASSIFY ON: 12-31-2041 


(Rev. 05-01-2008) DATE: 01-17-2017 
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results of these searches showed the following: 


U//FO00) These events are described in detail below. 


a a 


(8) 


HRC-8764 


bl 
b3 
b7E 


bl 
b3 
bIE 


bl 
b3 
b7E 


bl 


\ b3 


b7E 


bl 
b3 
bIE 


b6 
b7c 


HRC-8769 


(Rev. 05-01-2008) 


Precedence: 


CLASSIFIED BY: NSICG J76J18T80 
REASON: 1.4 (C,D) 
DECLASSIFY ON: 12-31-2041 


DATE: 01-17-2017 


ALL INFORMATION CONTAINED 
(3) HEREIN IS UNCLASSIFIED EXCEPT 


WHERE SHOWN OTHERWISE 


FEDERAL BUREAU OF INVESTIGATION 


ROUTINE Date: 


To: Washington Field 


From: 


Approved By: 


Washington Field 
CI=13 
Contact: S. 


Drafted By: 


case rp: [scp -3 


Title: 


bs 


MIDYEAR EXAM; 

MISHANDLING OF CLASSIFIED; 

UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


2/29/2016 


“Besant /aozons| | 5 


HRC-8770 


bl 
b3 
b7E 


b6 
b7C 


b3 
b7E 


bl 
b3 
b6é 
b7C 
bIE 


bl 
b3 
b7E 


a ae er 


(Rev, 05-01-2008) @ ® 
bl 
“Bore reron| |. b3 
bE 
FEDERAL BUREAU OF INVESTIGATION 


bl 
($)b3 
b7E 
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Synopsis: (U//P68e) To m ialize Intelligence Bulletin 
authored by IA on 29 October 2016. 
d By: F36M12K15 


Derived From: 
Declassi 


ted 20130301 


20410223 


Details: ></ at) Cyber Division rae supported 
captioned i i ion from 9 September to 30 October 2016. 
During IA enure, he conducted research on 
approximately email addresses found in the To:, From:, Ce:, 


or Bec: portions of emails sent to any of Hillary Rodham 
Clinton’s (HRC) electronic accounts. The approximately[___]email 
addresses were found in the .pst file provided to the FBI in 
August 2015 by Williams & Connolly, HRC’s attorneys. 


OC ATE IA 


(U/AP686) An electronic copy of the aforementioned 
intelligence product, search results conducted in FBI databases 
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Synopsis: (U//f6¥0) Documents analysis of suspicious logon 


attempts to the APPLE ICLOUD account associated with 
hdr22@clintonemail.com. 
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Details: (U//f686) Writer conducted an analysis of logon attempts 
to the APPLE ICLOUD account associated with the email address of 
hdr22@clintonemail.com. Records were received from the APPLE 
internet service provider which identified 126 logon attempts made 
to that account, between the dates of 03/03/2015 and 12/13/2015. 
Of those attempts, 121 were made using the APPLE IFORGOT feature, 
and 5 were made using the MYAPPLEID feature. 


(U//#680) The table on the following page depicts: 
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(U//PO8G) Writer then conducted logical investigative 


follow-up on each of the above addresses. The following is a summary 
of the pertinent findings. 
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(U//Pe8e) At this time 
identified to explain 


no_additi 


ogin attempts began on 03/03/2016, which occurred a day 
after the New York Times release of Clinton's use of a personal email 
system. Writer recommends that Agents conduct an interview wit 
in attempt to determine further information about 
€ logon attempts to the ICLOOD hdr22@clintonemail.com account. 


was a Tw € attempted unauthorized access 
additional APPLE ICLOUD accounts. The majority of the 
targeted victims appeared to be celebrity figures, politicians, 


and/or corporate executives. San Franci ble to positively 
_ attribute the unauthorized logins . aemaaaes | 


(U//BO8O) 
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bITE 
(U//PO8E) Investigation in this matter has determined that 
was likely responsible for logon attempts 
to the hdr22@clintonemail.com ICLOUD account. Those attempts 
bé 
b7C 
b7E 
into ICLOUD accounts from 
Lastly, was identified in the San 
Francisco investigation as also being 
U//PO8O) Additionally, b3 
is referenced in a 
A_review of tha prc 
b7E 
(U//Fe88) In support of this investigation, San Francisco b6é 
provided writer with b7A 
A review De 
of that evidence identified 
(U//FO8Q) Given thatL___———sdadmitted conductin 
unauthorized access attempts to IC: unts 
- bé 
were also obtained for b7c 
In reviewing those records, writer assesses that bE 


corroborate 
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(U//FO8S) Attempts to find additional identifying information 
for the actors conducting login attempts from i 
bé 
were all met with negative results. RIS 
(U//eve) ENCLOSURES 
(U//FOte) Enclosed for the file in a 1A envelope is one compact 
disk containing: b3 
bé 
b7C 
b7E 
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UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: 0/ AP) To document ere search 
results of email addresses found in confirmed classified 


messages and/or belonging to individuals part of Hillary Rodham 
Clinton’s close circle. 


Classified 
Derived F: IN 


+ ed 20130301 
D. ssify On: 20410223 


Details: (U/Afe¥e) Through the course of captioned 
investigation, numerous email addresses found in confirmed 
classified messages and/or belonging to individuals part of 


Hillary Rodham Clinton’s (HR n 
identified. Writer conducted fers on 
all facilities between 12 an ‘ebruary 7 results are as 
follow. 


(U/APeve) Email Addresses Found in Confirmed Classified 

(U//Pe8e} On 12 January 2016, 5 
compiled a histogram of email addresses found in confirme' 
classified messages up to that date. The list was captured ina 
Excel workbook[ hich 
writer edited in order to capture additional information, as 
yell ag) feearch results. 


(U/ /rese) 
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3 it i nknowr 
ip 
impersonate_HRC’s_ hdr22. i ‘o the FBI’s 
knowledge, 


icrosoft Excel_wo 
along with bTE 
$s, 1S enclosed in a 1A envelope for the file. 
(U/ Hrewe) [i Belonging to HRC’s Close Circle 
0) ( RE) i writer's arrival to CI-13, Cyber b6 
: Division I. supported _ captioned investigation from pre 
9 September to 30 October 2016. tal |perusea the data set ioe 
of approximately 30,000 emails obtaine rom Williams & 


Connolly, and identified about 
individuals ! 
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b7Cc 
b7E 


Feve) Writer conducte 


bl 
b3 


HRC-8800 72 


(Rev. 05-01-2008) e @ , 
a woron] | 8) Re 


FEDERAL BUREAU OF INVESTIGATION 


(u/f A_printout of a Micros et Be 
isti the along with 
res 7 closed in a 1A envelope for the file. 
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wor. 


the s Close Circle in 
order to identify overlaps in both lists and ensure all accounts 
had been properly accounted for. Both worksheets are enclosed in 
a 1A envelope for the file. 
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UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//Fe#e) Analysis performed by TOU on referenced evidence item 
to check for common artifacts of cyber intrusion activity, malware, and 
other forms of unauthorized access. 


Classi C21W96B6 
Derived Fro: C dated 20130301 
Decla: 20410321 


Details: (U//FOUO) At the request of Counterintelligence Division (CD) 
and WFO squad CI-13, the Cyber Divison (CyD) Technical Operations Unit (TOU) 
performed an analysis of the forensic image of the following evidence item 
to check for the presence of malware and/or other indicators of compromise 
(IOCs) : 


e Case ID: BS 
* Lab #: 150806250 BTE 
e Specimen: DEHQ55 
e Item: QHQ1_1 
e Description: Lexar Micron 16GB LJDTT16G-000-1001DA 
(U//Pe8e) TOU performed scans to identify malicious attachments within an 
email archive found on the forensic image of the referen: device. 
Several malici hments were identified among the email b7E 
messages] Malware analysis was performed on these samples, 
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and based on this analysis TOU is categorizing these into two separate 
incidents. 


(U//FOBS) The first incident pertains to emails associated wi 
widespread ishi in- 


b3 
b7A 
b7E 


1s campaign. No further analysis 
was performed on these samples since the samples matched those in the report 
referenced above. 


(U//FOve) The second incident pertains to a ici i i 

The email contaimed a malicious PDF that was determined to be a dropper bE 
for a common Remote Access Tool (RAT) called Poison Ivy. 

(U//PO8G) Detailed analysis and indicators are provided in the attached 

report. Also attached is an open source report found at 

https: //raw.githubusercontent. com/fireeye/pivy-report/master/PIVY-Appe 


ndix.pdf, which depicts the malware from the second incident in the context 
of a broader set of APT activity. These findings will be provided to the 


CyD analysis cell assisting wit i investigative DIE 
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Synopsis: (U//Fe¥e) Analysis performed by TOU on referenced evidence item 
to check for common artifacts of cyber intrusion activity, malware, and 


other forms of unauthorized access. 


Details: Yel nem) At the request of Counterintelligence Division (CD) and 
WFO squad CI-13, the Cyber Divison (CyD) Technical Operations Unit (TOU) 
performed an analysis of the forensic image of the following evidence item 
to check for the presence of malware and/or other indicators of compromise 


(IOCs) : 
e Case ID: 
e Lab #: 150806250 
e Specimen: DEHQ55 
e Item: QHQ2_1 
¢ Description: Toshiba Laptop from Williams & Connolly LLP 


A detailed intrusion analysis of the forensic image of the laptop 


U, 
a performed. No indications were found that an attacker may 
ave gained unauthorized access tothe machine. The machine was in service 


b3 
b7E 


bIE 


during the period of March 14, 2012 to August 6, 2015 on Williams & Connolly 
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LLP‘s network. The machine was used infrequently over the 3-year period 


b7E 
by unique user accounts. 

(U//FOBS) The machine was used to review emails in preparatio 

tothe FBI. Those emails are contained within an archive fi bS 
located on the desktop of the user accoun’ This archive bIE 
was analyzed for i is documented in an a JOining report in 

the case file oo eraerammanmany Pos #: 150806250 Specimen: DEHQ55 Item: 

QHQ1_1. 

(U//FOBS) Detailed analysis of this item i in the attached bie 
report. Also attached are the supportin reports. These 

findings will be provided to the CyD i a with this 


matter for logical investigative follow-up. 
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UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


{) bE 
4) synopsis: Mynee\[___| searches conducted by NCIJTF. 


ied By: 391744784 
Derived From: C dated 20130301 
Dec. On: 20410322 


(0) Details: per In furtherance of this investigation, the FBI 
conducted investi i i cilities of interest in this b6 


mat. Those queries were conducted b7c 
by currently assigned to the FBI’s NCIJTF in bIE 
Chantilly, Virginia. 
0) (3 AMF Enclosed for the file ina physi nve lope ine 
: is one compact disk, containing the results of thel queries 


that were conducted for this investigation. 
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Title: (3 MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


CYBER ~ +5 


Synopsis: DS 3) To document research and analysis conducted 
on identified email accounts associated with Hillary Rodham 


Clinton (HRC) and any information related to the 
clintonemail.com domain. 


ified By: F36M12K: 
Derived Fr ated 20130301 
Ssify On: 20410223 


a Lis 


b3 
b6é 
b7C 
bIE 


HRC-8821 
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@ ® bs 


(Rev. 05-01-2008) bIE 


bi 
15) b3 
b7E 
(0) Details: (3¢ 8) Investigation to date has led to the bie 
identification of i S associated with HRC. Writer 
queried Sentinel, and i tion 
related 
ositive results are noted below and 
icrosoft Excel spreadsheet enclosed on a 
disc in a 1A envelope for the file. 
1 (X//F) Based on a list of identified email addresses 
0) obtained from various sources, queries were conducted on the 
following accounts: 
1 | ClintonHR@state.gov 
2 
3 
4 
5 
6 
Z b6 
8 hdr22@clintonemail.com b7c 
9 | hdr29eclintonemail.com bIE 
10 | hdr29@hrcoffice.com 
11 
12 | hrl5@att.blackberry.net 
13 | hrlS5@mycingular.blackberry.net 
1S arr 
15 ircarchive@clintonemail .com 
16 | hrcarchive@presidentclinton.com 


secest//worom{ 6 bs 


HRC-8822 P7E 
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17 | hrod17@clintonemail.com b7c 
b7E 
(U//FEBE) ClintonHR@state.gov 
(U//FO8E) Sentinel Queries 
(3) 
bl 
b3 
b7A 
b7E 
(0) /RP) Per 
‘ discussion wi b3 
b7D 
b7E 
Per se 
ie Same investigation e data revealed 
Ea Re ES No additional information 
© targeting of ClintonHR@state. -gov was identified. 
b3 
0) b7A 
b7E 
No additional 
to this incident was identified. 
b3 
(0) b7A 
b7E 


No additional 
lation was gleaned from the referenced case file. 
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“sreret//sorom{ |. b3 
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(8) ba 
b3 
b7E 
bl 

ueries b3 
b7E 
(U//FOUO) HDR22@clintonemail.com 
(U//POHE) Sentinel Queries 
b3 
{0} 0S) RY A search of HDR22@clintonemail.com in Sentinel b6 
“" revealed the account was the tar i ized b7A 
iCloud login _attem > b7c 
i ighted approximatel b7E 


g! 
and_ 30 June 2015. Per 


stated 
~com_ had only 


attempt 
oud account is 
documented in MIDYEAR EXAM, Cyber sub-folder, serial 7. 
b6 
m Dei/we) waite xeviewingl _______] retatea a 
to the aforementioned FBI San Francisco investigation, writer b7c 
b7E 


(0) (BC/ET Additional Sentinel results referenced open 
source articles from 2015 that mentioned HDR22@clintonemail.com. Be 


No valuable intelligence was gleaned from the articles. ds 
[Reference: Various serials] 
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bl 
b3 
b6 
b7C 
b7E 
b7E 
/F) results for HDR22@clintonemail.com are 
enclosed on a disc ina 1A envelope for the file. 
(U) Additional Research 
0$//RF) Writer was alerted by the MIDYEAR EXAM Review 
Team on 21 March 2015 of a likely =nhishi incident b7E 
targeting HDR22@clintonemail. on 5 June 
2011. The email was sent from and was 
purportedly a DHL delivery no cation, which enclosed an 
attachment titled “DHL mail.zip.” HDR forwarded the email to 
Human ABEDIN (huma@clintonemail.com) asking if she knew what the 
email was about, also stating she deleted the message upon 
receipt. A search for the sender address in Sentinel yielded 
negative results. 
(u/A reve, HR15@mycingular.blackberry.net 
(U/Peve} Sentinel Queries 
03/ b3 
November 2015, b6 
b7A 
b7C 
b7E 
(U/APOBE}+ HROD17@clintonemail.com 
(U//FE8e) Sentinel Queries 
pw) b6 
b7c 
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U) Additional Research 


, 05/ / NF) Per research conducted by ,, es 
(0) @uring his TDY (9 September to 30 October 2015) to support 
ng : 2 SSF : 2 


mM Open Source article refrerenced 
the malicious attachment(s), if opened, would 
have compromised the host and sent information to at least three 
computers overseas, including one in Russia. According to the 
same open source article, a spokesman for HRC said there was no 
evidence of a breach. 


(U//P@8O) The phishing event was summarized by IA 


LF aronl iz a separate report and is enclosed on a disc in a 1A 
envelope for the case file. 


(u/#Feve} ClintonEmail.com Domain 


ae 087 /NE) In addition to queries conducted on known 

{U)email accounts belonging to HRC, writer also queried FBI systems 
for any additional in ated to the clintonemail.com 
domain, filtering for information only. The 
following was gleaned from queries conducted in Sentinel and 


(U//FOBS) Sentinel Queries 


‘ PS). Queries on the clintonemail.com domain yielded 
{0) approximately results, some of which are documented above. 

One result of interes i i 

in_ which a CHS states 


It is unk i i ted 
the CHS to identify and report No 
Demat worom| | 
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b7C 
b7E 
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further information related to the in Sentinel b3 
holdings. (Reterence:[ “SN en 


b7E 
(U//Fe8e) Remaining Sentinel hits referenced open 
source articles in which the domain was mentioned, warranting no 
further action. Additional open source research on the domain 
and logical pivoting is detailed in MIDYEAR EXAM, Main case 
file, serial 141. 
bl 
b3 
b6é 
ee 
b7E 
bé 
tember 2015, SSA bic 
(0) (CyD/TOU) conducted searches on the aintonemail.com and b7E 
presidentclinton.com domains. His findings are serialized in 
MIDYEAR EXAM, Cyber sub-folder, serial 2. 
(U) Additional Queries 
(0) $S//¥B) On or about October 2015, the MIDYEAR EXAM 


Investigative Team submitted a 


b6 

associated with HRC. Targeter pyc 

Office of Analysi bE 
n 


tive results. Targeter 
is enclosed on a disc 
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Precedence: ROUTINE Date: 03/23/2016 
To: Washington Field 


From: i ield 


Contact: 


Approved By: 


Drafted By: 
case rp #: (X//wr) [ cvar -17 
Title: 0S/ APY MIDYEAR EXAM; 


MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: 0&¢ -eF) Final technical analysis report from IAU 


: F41M65K83 
dated 20130301 
20411231 


Details: DX) (ae) On October_20, 2015, Information Technology 
Specialist/Forensic Bxaniner[ et the Washington Field 
Office Computer Analysis Response Team (CART) requested the 
assistance of the Operational Technology Division (OTD) 


Investigative Analysis Unit (IAU) in support of the case 
. The details of the request are documented in Serial-3 
r ie CART sub-file. 


pad /sP) IAU conducted an analysis of the following digital 
evidence: 
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bTE 


, (BC /NF) A report dated February 10, 2016 containing the 
(0) results of the analysis of ee ce for intrusion-related 


by IT Loe pe 
a | Rf e Investigative Analysis Un ake 
A copy of the technical analysis report is enclosed in a 1A envelope 
— inclusion in the case file. 
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Approved By: b7E 
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Case ID #: (x) CYBER - 2° 
(0) Title: }x) = MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


(I) 
"Synopsis: (ie) To document research and analysis results for 
two email addtesses and three IP addresses associated with[ |] b6 
[ b7C 


Classiéi By: F36ML, 
Derived Fr dated 20130301 
Ssify On: 20410223 
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b7E 
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b7E 


(0) Details: //®#) Investigative activit BE 
captioned investigati Pee set up Be 
er to facilitate the 
a 


bE 
an Pagliano (PAGLIANO) server content to 


Platte River Network’ infrastructure. A second email 
address, i ifi d to 


be his p Onal account. for 
the two email addresses resses were used to 
log in to both accounts between March and August 2015. Writer 
queried all IP addresses, which are as follows: 


(8) 


b6é 
ver Networks (PRN) was one of the b7C 
ig the Bryan Pagliano (PAGLIANO) server to 


7 bl 


HRC-8850 »72 


P an employee of Platte Ri: 
(0) individuals responsible for migratin 
PRN in 2013. 
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file. 


(U) Query Results for 


printout of ap) EE 3 
is enclosed in a envelope for the case 


esults for IP 


HRC-8851 


§) 


bl 
woven] |. He 
ie b7E 


FEDERAL BUREAU OF INVESTIGATION 


(U//Fe8e) CL dzmai1 Addresses be 


arch for as 
and in Senti ; ar mie 
yielded negative results. Information_related to ie 


identification of these accounts and [recollection of 
i can be found in two in-person interviews with 
the first conducted on 15 September 2015 (see MIDYEAR 
, 302 Sub-folder, serial 21) and the second on 17 February 
2015 (FD-302 not serialized as of the date of this 
communication) . 
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Precedence: ROUTINE Date: 3/28/2016 
To: Washington Field 


From: Washington Field 
CI-13 


b3 
Contact: IA bé6 
b7c 
Approved By: b7E 
Drafted By: 
Case ID #: (K) CYBER +2t 
Title:(S{ | MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 
Synopsis: 04) /ae) To document research and analysis results for 
email addresses in new confirmed classified not previously 
identified. 
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‘ ’TE 
{0} Details: //¥F) On or about 7 March 2015 MIDYEAR EXAM 
Investigative Team received | iter messages not oie 
part of the original confirmed classified group of emails. 
Sender and recipient email addresses were extracted from the new i‘ 
messages and compared to a list of email addresses already 
researched and documented in MIDYEAR EXAM, Cyber sub-folder, 
serial 8. Writer identified two new email addresses: b6 
b7C 
(8) ba 
b3 
b6 
b7C 
bIE 
b7E 


(U// Frese) results are included on a disc ina 1A 
envelope for the case file. 
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/#F) A search for the email address in and 


yielded negative_results. Positive returns were 
identified in Sentinel and 


(U) Sentinel Results 


Results 


results are included on a disc in a 1A 
envelope for the case file. 


(U//POYO) Research on Two Additional Email Addresses in Original 


Group of Confirmed Classified Messages 


MP) A review of all unique email addresses found 
in confirméd Classified messages to date revealed two accounts 
not previously identified by writer: 
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(U) Queries for both yielded the following: 


ee 


) A search for the email address in 
and yielded rt aa results. Positive returns were 
da 


identified in Sentinel an 


(U) Sentinel Results 


envelope for the case file. 
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results are included on a disc in a 1A 


) A search for the email address inD 
and yielded negative results. Positive returns were 
identified in Sentinel ana[_ ] 


(U) Sentinel Results 
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(U) Results 


(8) 


b7E 
(U// PERO) results are included on a disc in a 1A 
envelope for the case file. 


(U) Summary of Findings 
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§) 3 
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b7c 
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Precedence: ROUTINE Date: 3/31/2016 
To: Washington Field 


From: Washington Field 
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7 b3 
Contact: IA bé 
Approved By: Bie 
Drafted By: 
Case ID #: Oxf 
Title: (8) | MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 
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pees From: FBI-NSEX ated 20130301 
assify On: 20410331 


bl 
b3 


: HRC-8862 >7E 


@ e a 


(Rev. 05-01-2008) b3 


b7E 
BEeRET/ /oncon/worony| ls 
FEDERAL BUREAU OF INVESTIGATION 
bl 
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b7E 
(U) Details: /?) As documented in MIDYEAR EXAM, Cyber sub-file, 
serial 10, Cyber Division’s Technical Operations Unit (TOU) 
analyzed the forensic image of a Lexar Micron 16GB USB device 
with the purpose of trying to identify malicious content on the 
device. Several malicious attachments were found in the email 
archive located on the USB, which TOU subsequently analyzed and 
categorized into two separate incidents. 
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b3 
(5) be 
b7c 
b7E 
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(U) Malicious Attachment’s Beaconing Informatian 


(U) Summary of Findings 
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enclosed in a 1A envelope for the case e. 
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Precedence: ROUTINE Date: 04/04/2016 
To: Washington Field 


From: Washington Field 


CI-13 
contacts [ be 


b7C 
Approved By: bE 
Drafted By: 
(0) Case ID #: (&//RFF CYBER — 
(JjoTitle:(QX//M#7 MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 
Synopsis: (U//Fee8e) Summary of FBI database searches of indicators 
identified from open source research. 
References: CYBER, bs: 
Serial 141; Serial 13 bTE 
bl 
b3 
bTE 


b: 
i os 
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b7E 


Details: 


(U//FOUS) Searches of open source datasets were used to identify IP 

addresses and domains directly associated with or related to the Internet 

domain “clintonemail.com” (see Serial 141). These b3 
indicators were then searched in FBI databases, and the results of these bIE 
searches are listed below. In most cases, searches with positive results 

were documented previously in separate ECs within the case file, so this 

EC will provide summary results for each indicator, and reference ECs with 
additional details for indicators with positive hits that were documented 
previously. 
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FEDERAL BUREAU OF INVESTIGATION. 


287 RF 


(U//FO8Q) DETAIL: A search of for clintonemail.com returned positive 
results are documented in a separate EC: 
CYBER, Serial 2. 
bl 
187 Av na 
ia, PTE 
(8) 
bl 
rsz/ b3 
b7E 
(§) 
$37 /NF 


(U//FO8O) DETAIL: A search of for presidentclinton.com returned 

ositive results. These results are documented in a separate EC: 
SS cvEER, Serial 2. A search of Sentinel yielded references 
to the same activity found in__] which is described in the serial mentioned 


above. Details of the information found in} can is documented 
in a separate EC as well:[ SC CYBEER, Serial 13. 


bx p___| B3 


b7E 
(8) 
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bl 


b7E 


before 06/2013 when shows the presidentclinton.com and 


clintonemail were resolving here CC) Serial 
141 for full details). 


U//FOUO) DETAIL: This search ee several positive hits but all from b7E 


(8) ba 
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b3 
b7E 
(U//PCU0) DETAIL: A search of returned positive 
results. These results are documented in a separate EC: 
CYBER, Serial 13. 
bl 
b3 
| bIE 
(5) 
(U//APO8Q) DETAIL: A search | for. _—d returned positive 
results. These results are documented in a separate EC: ; 
-CYBER, Serial 13. 
bl 
/ b3 
b7E 


(8) 


(U//FOBO) Separate ECs were written documenting the specifics of all 
positive search results documented above (see references). Any 
recommended investigative follow-up will be documented within the 
referenced documents. 


oo 


bl 
. b7E 


HRC-8872 


Fat 


b6 
b7c 


. 
HRC-8873 


CLASSIFIED BY: NSICG J76J1sTs0 
t ) REASON: 1.4 (C) 


(Rev. 05-01-2008) DECLASSIFY ON: 12-31-2041 


DATE: 01-18-2017 


ALL INFORMATION CONTAINED 


TSEGRET/ ANOFORIT 
FEDERAL BUREAU OF INVESTIGATION 22cs sana Gieanee 
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To: Washington Field 


From: Washington Field 
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approvea By: [7] bre 


b7E 
case 1D 4s bj Jovsen -24 


Title: ~)  MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//Fe@86) Documents analysis of failed login attempts and 
observed firewall activities subsequent to the public disclosure of 
HILLARY CLINTON’s use of a private email server and the personal email 
address of hdr22@clintonemail.com. 


J391344T8 
C dated 20130301 


b3 


Reference:[_ SSCS CYER-7 bIE 


Details: (U//Pe8e) This investigation has determined that on 
03/02/2015 the NEW YORK TIMES published an article documenting 
HILLARY CLINTON’s use of a private email server and her personal email 
address of hdr22@clintonemail.com. As to be expected, the public 
release of that information led to the increase of firewall activity 
and failed login attempts to the exchange server operating behind 
that domain. 


(U/ FOB) The ‘above referenced serial documents an analysis 
performed on suspicious login attempts to an APPLE ICLOUD account 
associated with email address hdr22@clintonemail.com. That analysis 
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revealed that multiple cyber actors had attempted to gain 
unauthorized access to the ICLOUD account subsequent to the NEW YORK 
TIMES article. Similarly, a review of firewall and IIS logs for the 
clintonemail.com exchange server identified that it was targeted in 
the same manner. Agent Note: The scope of this analysis only includes 
the review of logs created subsequent to 03/02/2015. Writer did not 
attempt to review every firewall and IIS logs for this analysis. 


(U//F@8C} EXCHANGE SERVER - IIS LOGS 
(U//Fe8e) The table below depicts the most frequent user 


accounts which did not successfully authenticated to the exchange 
server, yet were used for at least two failed login attempts. 


(U//Fo#¥e) USER ACCOUNT NAME # ATTEMPTS 
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BEGRET/ /NOFOR 
FEDERAL BUREAU OF INVESTIGATION : 
(U//FEBS) As shown on the previous page, the user accounts. of He 
E 
failed login attempts. This was also expected, as the targeting of 


known or suspected user accounts is*consistent with that of malicious 
cyber actors. 


(U//Feve) The failed login attempts with usernames including 
the handle could be attributed to attackers who gleaned the 
account information from the NEW YORK TIMES article. However, the- 
failed login attempts during this time frame could also be attributed 
“to that of a legitimate user who accidentally entered an invalid 
password. More indicative of potential cyber attackers, however, are b7E 
the failed login attempts that occurred with the usernames of 


(X//8®) In analyzing the failed login attempts to the 


non-existent account, writer identified that originated bi 
b3 
b7E 
(Sh 
(X//8E) In addition; writer identified that IP addresses i 
bl 
were used for, login attempts on the non-existent[__| a) 
account; andL_____———rds ang). weve d fo i . b7E 
a (S) 


the purpose of this document, writer did not provide a complete > 2 
analysis el —~«di as these were only failed attempts. 
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In addition to the repeated failed login attempts from 
the accounts above, the following user account names were also used 
for at least one failed logi; 
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these attempts could have bee 
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a mistyped username froma legitimate user; for example, 
and 
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(U//FO8O) DOMAIN CONTROLLER FIREWALL LOGS 

(U//Fe8e} For this analysis, writer also reviewed the firewall 
logs obtained from the domain controller associated with the 
clintonemail.com domain. That review identified that subsequent to 
03/02/2015, several unauthorized access attempts were also captured 
by the firewall. Those attempts are depicted in the following table: 


(U//#e8e)' As shown in the table, the domain controller firewall 
captured unauthorized-login attempts using several fictitious names. _ 
Some of those events originated from IP addresses overseas. Writer 
opines that this-is also expected behavior, given the public release 
of the clintonemail.com domain. 
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UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//FOUS} To document queries related to various 
devices obtained through the course of investigation. 


cla : F36M12K15 
Derived From: ted 20130301 
Ssify On: 20410408 


Details: (U//POUO0) rr | Cyber Division, on or 
about 10 February 2015 received a Microsoft Excel spreadsheet 
with approximately[_]identifiers associated with a number of 
electronic devices identified through the course of captioned 
investigation. The identifiers were obtained directly off the 
devices or through subpoena returns. IA queries on all 
unique values yielded negative results in 


(u// On or about the date of this document, 
writer received] | additional identifiers and subsequently 
eried the new va To be thorough, writer also conducted 
queries on the] values previously identified. 


given that 
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(U//Fe8e) A printout of the[__Jresults is enclosed bIE 
in a 1A envelope for the case file. 
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SENSITIVE INVESTIGATIVE MATTER (SIM) 
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Details: (U//FOt6} In support of captioned investigation 


indings are as follows: 


(u) [_____JALERT EMAILS 


U//Pe8O) Writer revi 
which contained 


ese exchanges were documented by 
which writer also reviewed. 


(U) 


SECRET//NOFORN- 


: ECLASSIFIED BY: NSICG Céé6W46B11 
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b3 
b6 
b7C 
b7E 


b3 
b7E 


b3 
b7E 


b3 
bTE 


b7E 


HRC-8887 
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b3 
b7E 


(U//Fe8e} Analysis_of all Ba 


2 (U//FeUS) rovided records i TE | b3 
however, were not supplied to the FBI (NFI). DIE 


SESRET//NOFORN 


HRC-8888 
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rr 


~ (Rev, 05-01-2008) 


(U//Fe8S} In addition to b3 
, A bTE 
late range, there are some dates for which 
was not found in ‘records subpoenaed from ’ 
only reviewed[_ Jin the FBI’s possession. 
(U// FOE} Re 
bTE 
For the 
purpose of analysis supportin: i 
reviewed 
b3 
b7E 


(U//Fe8O) b3 
along wit indings, were compiled for further bTE 


analysis in Microsoft Excel worksheets, which are enclosed ona 
disc in a 1A envelope for the case file. 


b3 
IIs b7E 


corresponding date’s IIS logs, writer isolated the activity for 
further analysis. The majority of the were not 
searched. Writer surmises t' is i 


t th 
the fact that 


SESRET//NOFORN 
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 §£__R_NvAN—_TAS Suh, the FEI supposes that the 


HRC-8890 


b3 
b7E 


b3 
bIE 


SEGRET/ /NOFORN 
FEDERAL BUREAU OF INVESTIGATION 


“Rev. 05-01-2008) 


b3 
b7E 
Overall, writer surmises that 
was attempting to 
for unknown reasons. 
b3 
b7E 
(U//PE@UO) When news of the existence of the CESC mail 
server broke public in early March 2015, numerous online media 
outlets reported details about the server. Around that time and 
b3 
b6 
b7C 
b7E 


(U//PE8O) Given the publicity related to the server 
beginning in March 2015, writer assesses that an unidentified 
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individual possibly queried CLINTONEMAIL.COM using 
to learn more about the server’s configuration in August 


oe 
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Laws 
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Precedence: ROUTINE Date: 05/17/2016 
To: Washington Field 


From: Washington Field 
CI-13 


b6 
b7E 


Case ID #: ox [si cyper-2e 


Title:...}&) | MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


sis: (U//FOU6}+ To document subpoena returns for b3 
b7E 
ified By: F36M12K15 
Derived From: dated 20130301 
D. fy On: 20410517 
Reference: CYBER-24 b3 
GJ-1A-56 b7E 
GJ-1A-57 
GJ-1A-58 
GJ-1A-59 
Details: (U//fese) The FBI’s Operational Technology Division 
(OTD) successfully extracted a limited number of domain b6 
controller logs captured by the CESC FORTIGATE80C firewall. OTD b7C 
subsequently provided logs for March 3-5, 2015 to the MIDYEAR 
EXAM Investigative Team, which a Cc on or 
about March 29, 2016. A log for March 22, 13 was also 
extracted by OTD and analyzed by writer. 
(U) DOMAIN CONTROLLER LOGS FOR MARCH 3-5, 2015 
(U//FO86) Per referenced serial, SA[____Jidentified b6 
approximately IP addresses that were unsuccessful in b7C 
attempting to log in to the domain controller subsequent to b7E 


March 2, 2015, the day THE NEW YORK TIMES published an article 
documenting HILLARY RODHAM CLINTON’s use of a private email 


BEGRET//NOFORNT 
HRC-8894 


SECRET /NOFORN 
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server and her, LINTONEMAIL.COM. [Reference: 
MIDYEAR EXAM, CYBER-24] 


(Rev. 05-01-2008) 


b3 
b6é 
b7C 
b7E 


(U//Fe8e) A determination was made by the MIDYEAR EXAM 
Investigative Team to not interview) bé 
given that the login attempts were unsuccesstul. b7C 


b7E 
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(U) DOMAIN CONTROLLER LOG FOR JUNE 22, 2013 


(U//F688) OTD was also able to extract one file froma 
log director irew. found specifically at 


OTD identified the file because, bIE 
when looking at the domain controller server natively, there was 
reference to the foregoing path as a log directory when 
authentication is enabled. 

(U//F@86) The log contained login information for[__] b3 

(7 which writer_analyzed. IP addresses were used to bé 
HE i: h b7C 
bIE 


o¢ 


SESRET/ /NOFORN 
HRC-8896 


b7c 


HRC-8897 


ALL FBI INFORMATION CONTAINED 
a (qeREIN IS UNCLASSIFIED 
(Rev. 05-01-2008) DATE 10-25-2017 BY Cé6w46B11 NSICG 


USECRET/ /NOFORN 
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Precedence: ROUTINE Date: 05/17/2016 
To: Washington Field 


From: Washington Field 


cI-13 
Approved By: te 
Drafted By: 

(0) case rv #: 0X) CYBER ~24 


() Title: oR) MIDYEAR EXAM; 

MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//Feve) To document details related to the 
classification of foreign policy and intelligence memos authored 
by SIDNEY BLUMENTHAL, and the finding of one of the memos in the 


GUCCIFER ARCHIVE. 
ied By: F36M12 
Derived From= SIC dated 20130301 
Ssify On: 2041051 


Reference: (J) (3{L__}cvser-6 es 


b7E 
Details: (U) SIDNEY BLUMENTHAL (BLUMENTHAL) is a former 
political aide to President WILLIAM J. CLINTON and served as an 
advisor to HILLARY RODHAM CLINTON (CLINTON) during her tenure as 
Secretary of State, often providing her memos on various foreign 
policy and intelligence matters. 


(U) BLUMENTHAL Memo Classifications 
(U//F988) On or about May 13, 2016, Irspec/Fe[__ b6 
Clee writer extracted] for all available foreign b7c 
policy and intellig memos authored by BLUMENTHAL and sent to bIE 
CLINTON. A total off Liste memos were identified 
C7 Separately, and writer queried for all 
TD” and “Bl,” : 


Microsoft Word documents tagged with the labels 

the latter of which signifies the document was deemed 
CONFIDENTIAL following classification review. The list of Bl 
memos, totaling[_ ] were extracted in a separate Microsoft Excel 
spreadsheet. 
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(U//£e86) In an effort to ensure the [_]nemos were bIE 
also captured in the list of writer compar h_ data 
sets. For unknown re. s but likely due ou erewmemmmraer EEE to 
pull all memos, onl of the memos in 
= rams = The not found pl poe coor ean | 


(U//Pe86) In addition to the [L_Jmemos tagged Bl, bTE 
writer is also aware of anot, deemed SECRET 
after classification review . Given its 


classificati w memo to be listed in 
Bl list. were compiled for the 
classified memos ani ECRET) . 


(U//FE86) Writer additionally compared the list of 
known classified memos to an open source article published by 
The Daily Caller on March 7, 2016, which claimed BLUMENTHAL sent 
CLINTON 23 classified memos. The list of 23, however, contained 
four emails whose text was redacted in part of full. One of the 
emails contained an attached memo, but there is no indication bIE 
the totality (or parts) of the document was released through the 


Freedom_of Information Act a —S The remaining 18 
items 


(U// n sum, BLUMENTHAL authored[__]memos deemed b6 
CONFIDENTIAL and deemed_SECRET. All memos were transmitted . Bic 


utilizing his AOL account b7E 


(U) CLINTON Server Breach Allegations ae) 


(U//PE86) In early May 2016, MARCEL LEHEL LAZAR 
(LAZAR) publicly alleged he breached the CLINTON server in early 
2013, shortly after compromising BLUMENTHAL’S AOL account. 
LAZAR, also known as ‘GUCCIFER,’ claimed he used the compromise 
of BLUMENTHAL’s account as a stepping stone to the CLINTON 
server. Details about the allegations and analysis of the server 
logs will be documented in a separate document. 


U//BO80) Subsequent to LAZAR’s claims, writer 


b6 
b7c 
bIE 
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(U// 16, 2016 SA 
confirmed that The 
memo and FOIA Case No. F-2014-20439, Doc. 
No. C05792899) is CONFIDENTIAL and was entirely redacted be 
when released through the FOIA process. GUCCIFER almost bic 


certainly obtained a copy of the now-classified memo when he bIE 


hacked BLUMENTHAL’s AOL account. 


U// FERS 


(U/7Feve) Correction to[_—=—~—Sd+«CYBER, Serial 6 b3 


b7E 

(U//Pe86) Referenced serial, which detailed LAZAR’s 
compromise of BLUMENTHAL’s AOL account, erroneously made 
references to CLINTON exchanging emails with BLUMENTHAL using 
her HROD17@CLINTONEMAIL.COM account. Writer also speculated that 
the FBI could not discount the possibility of LAZAR having 
searched for correspondence between BLUMENTHAL and her ‘HROD17’ 
account. After consulting with MIDYEAR EXAM Investigative Team 
colleagues, writer determined HROD17@CLINTONEMAIL.COM was not 
created until after the BLUMENTHAL’s account breach. Therefore, 
there was no correspondence between BLUMENTHAL and ‘HROD17'; 
BLUMENTHAL’s exchanges were only with CLINTON’s ‘HDR22’ account. 


(U) According to a fact sheet released by 
HILLARYCLINTON.COM, CLINTON 


Used only one email account during her tenure at State 

[..] In March 2013, a month after she left the Department, 
Gawker published the email address she used while 
Secretary, and so she had to change the address on her 
account. At the time the printed copies were provided to 
the Department in 2014, because it was the same account, 
the new email address established after she left office 
appeared on the printed copies as the sender, and not the 
address she used as Secretary. In fact, this address on the 
account. did not exist until March 2013. 


(U//Pe80) Writer hereby corrects any reference to 
HROD17@CLINTONEMAIL.COM made in referenced serial, as the only 
CLINTON account that corresponded with BLUMENTHAL was 
HDR22@CLINTONEMAIL. COM. 


(U//Fe86) Enclosed for the case file in a 1A env 
are two discs: one contains memos’ metadata extracted from 
and the other is writer’s ilation and check/sum of known 
classified memos. 


b7E 
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Ee b7E 
erence: above is also enclosed. 
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Precedence: ROUTINE Date: 06/05/2016 
To: Washington Field 
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CI-13 
Approved By: 
Drafted By: 


Case ID #: }s{ CYBER - 30 


Title: ts MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


; 
Reference: 0) im CYBER-27 
(0 GJ-61 


Details: 


esearch indicated the 

allows a remote attacker 
o execute arbitrary code and cause a denial of service (DoS) 
attack. 


pa ee el 
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bITE 
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b3 
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b3 
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(U) b3 
b7E 


(U/ AF680}- A determination 
tiv i i b3 


b7TE 


CYBER, serial 


oe 
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b7c 


HRC-8905 | 


Lay 


we 
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Precedence: ROUTINE Date: 06/02/2016 
To: Washington Field 


From: Washington Field 
CI-13 


. . b3 
Contact: sat - 
approved By: [OO] oe 
Drafted By: [] 
Case 1D #: ts{[___ Jcvser - 32 


Title: $a MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//FOU6) Documents investigative actions taken in 
response to allegations that Romanian hacker, MARCEL LEHEL LAZAR, 
aka “GUCCIFER”, hacked HILLARY CLINTON’s (CLINTON) email server in 
March of 2013. 


Details: (U//FO8@) On 05/04/2016 and 05/07/2016, FOX NEWS released 
two news articles reporting that Romanian hacker MARCEL LEHEL LAZAR 
(LAZAR), aka “GUCCIFER”, had allegedly claimed to have hacked the 
clintonemail.com server in March of 2013. Those two news articles 
were derived froma series of interviews that FOX NEWS conducted with 
LAZAR from his jail cell in Virginia. 


(U) FOX NEWS ARTICLES - 


(U//FO88) According to those articles, LAZAR reportedly hacked 
the clintonemail.com server “like twice”, using an initial 
compromise vector of SIDNEY BLUMENTHAL’s (BLUMENTHAL) AOL account 
as a stepping stone to the clintonemail.com server. LAZAR stated that 
from that compromise, he obtained an IP address for the 
clintonemail.com server from the emails contained in BLUMENTHAL’s 
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account. The articles further relayed that LAZAR subsequently 

utilized readily available computer network tools such as NETSCAN, 
NETMAP, .WIRESHARK, and ANGRYIP, to scan the server and see if it was 
alive. According to the interviews, LAZAR utilized proxy servers in 
Russia for his hacking activities, as he believed they afforded him 
the best anonymity online. FOX NEWS reported no additional details 
about how LAZAR allegdly hacked into the clintonemail.com server. 
However, he reportedly stated that it “was easy” and that it followed 
his normal “four step process”, which was to: 1) identify the target, 
2) do extensive web research on the target, 3) access the target’s 
account to harvest data, and 4) send victim data to the media. 


(U//FO8S) Printouts of the original FOX NEWS articles are 
enclosed for the file in a 1A envelope. 


(U//FOBO) FBI INTERVIEW WITH LAZAR ON 05/26/2016 


(U//FOUS} On 05/26/2016, LAZAR was interviewed by the FBI at 
the UNITED STATES ATTORNEY’S OFFICE (USAO) in Alexandria, Virginia. 
During that interview, LAZAR denied hacking the CLINTON email server 
and stated that he had lied to FOX NEWS about that particular issue. 
LAZAR stated that he did in fact attempt to identify the originating 
IP address from an email header contained in BLUMENTHAL’s account. 
However, LAZAR stated that he was only able to identify the IP address 
of 127.0.0.1 for the clintonemail.com domain, which he identified 
as an internal IP address. LAZAR stated that he assumed the 127.0.0.1 
address was likely assigned to a mail server at the AOL service 
provider and concluded his hacking attempts against the CLINTON 
server at that time. According to LAZAR’s statements during the 
interview, that encompassed the extent of his hacking activities 
against the CLINTON server. 


(U//FOUe) LAZAR provided that his compromise of BLUMENTHAL’s 
account occurred on the date of 03/14/2013 and lasted for the duration 
of approximately six to seven hours. LAZAR recalled that his access 
was terminated in BLUMENTHAL’s account at approximately 08:00 
Chicago Time. 


(U//FEe8e} During his interview with the FBI, LAZAR described 
his familiarity with other hacking tools such as METASPLOIT, CAIN 


AND ABLE, ANGRYIP, and SUBSEVEN. All of these tools are readily 
available and can be used by hackers in furtherance of gaining 


SEGRET/ /ANOFORN 


HRC-8912 


SEGRET/ /NOFORN 
FEDERAL BUREAU OF INVESTIGATION 


(Rev. 05-01-2008) 


unauthorized access to systems. LAZAR described the basic 
functionality of these tools but did not answer specific follow-up 
questions about their corresponding capabilities and 
functionalities. Additionally, LAZAR referred to himself as being 
a script kiddie and an amateur hacker rather than a professional one. 


(U//PO88) LAZAR provided that he utilized the MOZILLA FIREFOX 
browser on a Windows-based operating system for conducting his 
various hacking activities. Furthermore, he attempted to directly 
log in to systems by typing IP addresses into his browser. 


(U/APe8e) Further details about information provided by LAZAR 
during his interview with the FBI can be found in the corresponding 
FD-302 in this case file. 


(U//FOUO) FORENSIC REVIEW OF THE CLINTON SERVER 


(U//PO86) Given these allegations, writer performed additional 
follow-up analysis in an effort to further determine whether or not 
LAZAR was successful in hacking the CLINTON server. FBI investigation 
has determined that LAZAR’s activities with the BLUMENTHAL AOL 
account occurred on the date of 03/14/2013. Therefore, analytical 
follow-up in this investigation primarily focused on the review of 
digital forensics around that time period. 


(U//#OBO) On or about 05/13/2016, writer spoke with the case 
Agents for and obtained a list of approximately[__] b3 


IP addresses, which were identified as being used by LAZAR for his bTE 
hacking activities. Utilizing CCOC™~—OCCCCCCCC(‘éd”;‘ writer 
conducted a search for any reference of those IP addresses in log 
files that were obtained from the CLINTON server. No references of 
those IP addresses were found in any of the Microsoft Internet 
Information Services (IIS) logs on the server. 

(U//FE8C) mputer 
Scientist (CS) was created bIE 
containin and other files from 


the CLINTON server. Again usin writer queried the master 
[file for any references of the GUCCIFER IP addresses 
and no results were returned. 
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(U/AF@8O} On or about 05/12/2016, writer pulled the unique IP 
addresses from the 03/2013 IIS logs that were obtained from the 
CLINTON server. Given that LAZAR reportedly utilized Russian proxies 
for his hacking activities, writer then attempted to identify any 
in the 03/2013 logs. Of interest 


b7E 
to this investigation is that 


for that IP revealed 


(U//FOUe) An additional log entry was identified on 03/15/2013 
at 08:15:54, from an IP address listed as “ee://aol/http”. Open 
source information indicates that this log entry represents an AOL 
toolbar installed on a browser. An additional review of the 


Ci idjiisted for both entries in the IIS logs identified b7E 
that they both contained 
Given that, writer 


reviewed the 03/2013 IIS logs for additional references of the same 
and found several other references of the same. 

They are listed below along with their corresponding IP addresses 

and the dates and times that they were referenced in the logs: 


b7E 


(U// F686) The above listed denotes the b7E 
information that is passed along 
to the server with_the request. However, it does not necessaril 


uniquely identify 


could be of relevance in this 
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investigation as they: 1) represent attempts to access an 

Administrator web page on the server; 2) highlight the attempts were 

made from IP addresses located | es 3) show that the b7E 
attempts were made from a Windows operating system with a MOZILLA 

FIREFOX browser; and 4) that all occurred_subsequent to the 

BLUMENTHAL account compromise. The attempt 

is specifically of interest because it occurred around the same time 

frame in which LAZAR had access to the BLUMENTHAL account. 


(U/ AP686+ Given the findings in this analysis, writer assesses 
it is possible that LAZAR’s statements during the debrief with the 
FBI on 05/26/2016 may not have been entirely accurate, and that he 


may have actually identified the X-originating IP address for the 
CLINTON server during the compromise of BLUMENTHAL’ account. 


Additionally, it is possible that LAZAR may have attempted to access 
the CLINTON server on at least one Sccunten 
However, no additional forensic evidence has been 

identifi i is i stigation to directly tie LAZAR to the failed 
attempt LT 
| 

U In support of this analysis, writer also utilized 
nan ee specific search terms through the bye 
file in an effort to identify whether or not certain programs were 
executed on the system. 


(U/APeeey Of interest for this analysis is that writer 
identi steaf in the log files 7 
for the CLINTON server. The majority of dates listed for the entries 
occurred i 
A review of the logs identified that 


someone logged in to the Administrator account, downloaded the 
[Jprogram, and ran it. Additionally, writer i tified that 

certain logs did not encompass dates prior ea therefore, 

a determination could not be made about the same activity i 

At this time, it is unknown who downloaded and ran a prapee 


from the Administrator account in 06/2013. 


b7E 
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Precedence: ROUTINE Date: 06/17/2016 
To: Washington Field 
From: Washington Field 
CcI-13 
bé 
approved By: [_____| bic 
b7E 
pratted sy: [], 
case a: di [fevsen -33 
(UD) Titles.) | MIDYEAR EXAM; . 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 
Synopsis: (U//FO¥e} To document files found on the desktop of 
BRYAN PAGLIANO. 
Classi. 
Derived From: C dated 20130301 
De fy On: 20410617 : 
bl 
(§) »3 
“pT 
bl 
seoery/noroms| |. ee 
* +“ bE 
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bl 
b3 
bIE 


Details: (U//f6t0) In support of captioned investigation, 
various files saved on the desktop of BRYAN PAGLIANO (PAGLIANO) 


extracted from the three files were queried in FBI 
databases in an effort to identify any association with 


previously established malicious activity. The three files can 
be found inf | bre 


UNCLASSIFIED//FOR-OF ICHAEL USE-ONEY 


b7E 
bI7E 
It remains unknown why 
PAGLIANO saved these in particular 
when the server is known to repeatedly have experienced brute 
force attacks. 
(U//FQ86) PAGLIANO also saved 
Based on forensic bl 
analysis, the PAGLIANO server mee 


HRC-8918 


(Rev. 05-01-2008) b3 


(9//Po8e]_in sum, [______—~+d bre 
none of the queried in FBI databases were 
associated wi clear cyber intrusion activity. 


(U//F686) It remains unknown why PAGLIANO saved 
eS or if he followed up on the data. It also b7E 
remains unknown if all listed in the .txt file were f 


observed on the same = Or 1 ANO kept a running list ‘of 


(U//FO8S}+ Printouts of the three .txt documents are 
enclosed in a 1A envelope for the case file. 
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Approved By: Ee 
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case mw #: >) CYBER ~35 
(0) Title:.}&) § MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 
bIE 
Reference: S CYBER-6 bs 
{0)-G) CYBER-29 biz 
nt \) CYBER-31 
s CYBER-32 
Details: (U//EFou6) FBI Washington Field Office (WFO) provided 
b7E 
bTE 


(U/ Pete) In ass of aia Soles ans 
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Approved By: 
Drafted By: 
Case ID #: ?&) CYBER —37 


Title:.(&{ | MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


is: arize suspicious login activity to 
on January 5, 2013. 
cla ied By: F36M12 
Derived F. B dated 20130301 
assify On: 20410705 


Reference: {I} xf 302, serial 88 


Details: U Per referenced serial ——id:’ the 
user of was interviewed’ 
telephonically by the Federal Bureau of Investigation on 


June 29, 2016 regarding her knowledge and use of The Onion 
Router (T ol that enables anonymous communication on the 
Internet. offered she was not familiar with Tor and has 
never ool. Tor, however, was used to successfully log 
in to e-mail account on January 5, 2013. A summary of 
the event is detailed below. 


(U//F686} On January 5, 203, S—=id e-mail account, 
which was hosted on HILLARY CLINTON’s per 


sonal e-mail server 
ly accessed from a Tor nodel____ 


Based on available log information, the account 


Over the course of| 
browsing was conducted. While 
cannot be determined, analysis of the 
noted that 


continuous inbox 
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(U/APE8E+ Given the nature of Tor, 


the client IP 


address changed approximately every 8-10 minutes. Over the 


ame _ canes eeu ——_ = neat were logged: 


(U/ APOE} B. 


information,. the FBI 


accessed without authorization on January 5, 


unknown how 


related to 


oe 


ased on statements and lo 
assesses| was 
- It remains 


redentials were compromised, and if any 
information was exfiltrated from her inbox. 


disc containing a copy of the IIS logs 


aa | 
a 1A envelope for the case file. 


account for January 5, 
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Synopsis: (U//PO86) To document analysis of HILLARY RODHAM 
CLINTON’s logins to the BRYAN PAGLIANO Server. 


Classi: 
Derived Fr 


+ dated 20130301 
ify On: 20411231 


302, serial 87 b3 


Reference: (0) ( 
. 302, serial 90 bIE 


( 


Details: (U//PO8Q) On or about June 17, 2016, Operational 
Technology Division (OTD) provided HILLARY RODHAM CLINTON’s 
(CLINTON) logins to the BRYAN PAGLIANO (PAGLIANO) Server, which 
was in service from approximately late March 2009 to. late June 
2013. The data provided by OTD was requested in an effort to 
identify: when CLINTON may have begun using the PAGLIANO Server 
for e-mail purposes; possible suspicious login activity while 
her account was hosted on the PAGLIANO Server; and determine 
whether logins were conducted from high-threat countries CLINTON 
traveled to during her tenure as U.S. Secretary of State. 


(U//FO8S) Analysis of e-mail records obtained by the 
FBI revealed CLINTON began using the e-mail address 
HDR22@CLINTONEMAIL.COM! on or about January 23, 2009, having 
previously used HRI5S@ATT.BLACKBERRY.NET. CLINTON’s new e-mail 
address presumably was hosted on the APPLE Server once the 
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switch occurred. This assessment is supported by the fact that 
the PAGLIANO Server was not operational for e-mail until March 
19, 2009. 


(U//Boue} Of note, the FBI was unable to verify if, 
and for how long, HDR22@CLINTONEMAIL.COM was hosted on the APPLE 
Server, as the device was not turned over to the FBI for ; b7E 
forensic examination. Additionally, investigation to date has 
not been able to identify the exact date of when 
HDR22@CLINTONEMAIL.COM was first hosted on the PAGLIANO Server. 
However, based on e-mail analysis of HUMA ABEDIN’s (ABEDIN) U.S. 
Department of State (STATE) OpenNet account, the first 


reflection of HDR22@CLINTONEMAIL.COM is on an e-mail dated 
January 23, 2009 


(U//F688) Logins for CLINTON were availab pril 
18, 2009 to June 30, 2013. There were spproxinately| | bIE- 
events captured in the PAGLIANO Server's Internet_Information 
Services (IIS) logs, with activity stemming from unique IP 


addresses. Writer geo-located all IP addresses an ound that 
resolved to the United States and[_|to foreign nations. 


(U//Pe8e) Logins from US-Based IP Addresses 


(U//FE8e) Of the[___]US-based IP addresses, bIE 


resolved lic Internet Service Providers the 
remainin IP addresses resolved to STATE and 
and the other two to the U.S. Air Force 


Logins from the U.s. 
Government IP addresses were scrutinized given that INTON was 
not known to have had a computer terminal while at STATE, and 


repeated logins in 2011 and 2012 from IP addresses resolving to 


(U//Pe88) Logins Conducted from STATE IP Addresses 


(U//F688) Logins from the STATE IP addresses were b3 
conducted on March 12, 201 bIE 
Based on statements provided to the FBI, 
which noted a limited number of individuals had authorized 
access to CLINTON’s e-mail account, logins from STATE IP 
addresses likely were carried out by CLINTON’s aides. These 
individuals had authorized access for a variety of reasons, one 
of which was to facilitate the retrieval of old messages, as 


CLINTON’s BLACKBERRY devices only held 30 days’ worth of e-mail 
traffic. theferencas( os P02, serials 87 and 90] 
(U//E@U0) Logins Conducted from USAF IP Addresses 
U Analysis of logins conducted from 
found that CLINTON’s account was b7E 
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accessed on numerous occasions in 2011 and 2012 from thel__] b7E 
aforementioned IP addresses. The majority of the events captured 
denoted 
It remains unknown why two USAF IP addresses 
are reflected in the IIS logs; however, a possible explanation 
is that CLINTON’s iPad devices were connected to a USAF network, 
perhaps the C-32 airplane* she traveled on when on official 
business. Writer assesses this is a likely explanation, as the 
dates of activity reflected on the IIS logs correlate with 


CLINTON’s official overseas travel schedule, as published by 
STATE. 


(U//Fevey Logins from Foreign IP Addresses 


(U//FOUSG) Writer resolved theL_—ids foreign IP b7E 
addresses, which resulted in the. following: 


UNCLASSIFIED//FOR OFFICIAL USE-ONEY 


IP Address Date of Login 


b7E 


(U//Fe8e; The date(s) of login activity from each of 
the above-listed countries was compared to CLINTON’s official 
overseas travel schedule. Writer found that in most cases 
CLINTON was on official travel to the country from where the 
login occurred, or in the same geographical region she was on 
travel to, possibly suggesting a layover or short stop given the 
proximity in travel dates. 


? (U) The C-32 is a military version of the Boeing 757-200 commercial intercontinental airliner. These airplanes are 
currently used for high-priority personnel transport, to include the U.S. Secretary of State. 
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U//Fes5) Writer found that logins from ed 


however, were suspicious, as 
CLINTON was not on travel to either country or in another close- 
by nation-state around the date login activity w. ed in 


the IT In the case of login activity fro on 
CLINTON’s official travel schedule noted she was 
in Lebanon on April 26, 2009 and did not travel again on 


official business until May 31, 2009, 

El Salvador. It is_unknown if CLINTON 

for approximately| after her © 

Lebanon, though it is a4 explanation for the 
login activity from 


) Other suspicious activity occurred_on : 
tion an IP address that resolved tol[___] bE 
ccording to CLINTON’s official overseas travel schedule, she 


was in Singapore on that date and traveled to the People’s 
aaa Ff of China on November 16, 2009. As such, a login from 


seemed unusual. 


(U//B@86) Given that CLINTON’s tenure as U.S. 
Secretary of State ended on February 1, 2013, writer was unable 
to ascertain i lation between her travel and 
logins from in as the 
activity occurred almost after she had left office’. 


b7E 


(U//FevQ) Logins Likely Conducted by CLINTON’s Aides During and 
After Her Tenure as U.S. Secretary of State 


(U//F680) As mentioned above, select staff members had 
authorized access to CLINTON’s e-mail account during her tenure 
as U.S. Secretary of State. A closer look at login activity 
conducted from US-based and overseas locations revealed aides 
probably were responsible for logins to CLINTON’s e-mail account 
between 2009 and 2013, the duration of CLINTON’s tenure. 


(U//6H Logins from US-Based IP Addresses 


(U// FEBS} analysis of US-based bIE 
activity revealed répeate ogins to CLINTON’s account between 


2009 and 2013 likely was don embers, judging by 
eA LS FT 


: (U) CLINTON served as U.S. Secretary of State from January 21, 2009 to February 1, 2013. 
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(U//PEedOT While writer was unable to establish with a 
definite degree of certainty that a significant number of logins 
were conducted by CLINTON aides, statements provided to the FBI 
by at least two witnesses make it-likely the activity was 
carried out by CLINTON staff members. As an example, MONICA 
HANLEY (HANLEY) is known to have created an archive of CLINTON’s 
inbox following the compromise of SIDNEY BLUMENTHAL’s personal 
e-mail in March 2013. HANLEY offered to the FBI that she used an 
APPLE Macintosh computer shortly thereafter to access CLINTON’s 


e-mail and archive me i that was reflected in the 
IIS logs. [Reference: 302, serials 87] 


(U//#e86) Logins from Foreign IP Addresses 


(U//PE88) Login activi revealed 
were responsible for logins fro b7E 
This assessment is based on closer inspection o 
tivity, which indicated that 
were used to log in to CLINTON’s 
account. Based on statements provided to the FBI, CLINTON is 


only known to have used BLACKBERRY and APPLE iPad devices to 


access her account, rendering it likely that logins from 
Members- 
(U//F886) Logins | ines b7E 
were conducted from IP addresses that resolved to the 
aa | y_that 


b3 
bIE 


Given the above, it is likel 
these ied out by CLINTON’s aides, as CLINTON did 
not use she only utilized iPad devices, which 
run on APPLE i0S soft his could explain the 
anomalous logins err al] detailed earlier in 


this document. 


(U//FE8S) There is insufficient data to determine if 
connections to the CLINTON server from overseas were conducted 
from public or secure networks. As a consideration, if security 
was considered by aides, logins may have been conducted from a 
secure network, such as those in place at U.S. diplomatic posts. 


(U//#686) A disc with logins to CLINTON’s account from 
April 18, 2009 to June 30, 2013, and IP address resolutions, is 
enclosed in a 1A envelope for the case file. A separate disc 


with the raw data obtained from OTD, dated June 17, 2016, is 
also enclosed. 
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From Wikisource 
Securing Personal E-mail Accounts 


United States Department of State 
United States Secretary of State Hillary Rodham Clinton 
June 28, 2011 
Securing Personal E-mail Accounts 


Department of State 
United States of America 


MRN: 11 STATE 65111 

Date/DTG: Jun 28, 2011 /282223Z JUN 11 

From: SECSTATE WASHDC 

Action: ALL DIPLOMATIC AND CONSULAR POSTS COLLECTIVE ROUTINE 
E.O.: 13526 

TAGS: APCS, ASEC, AADP, AMGT 

Subject: Securing Personal E-mail Accounts 


UNCLAS STATE 065111 

E.O. 13526: N/A 

TAGS: APCS, ASEC, AADP, AMGT 
SUBJECT: Securing Personal E-mail Accounts 


Reference: 


A) 12 FAM 544.3 


1. Department of State users are encouraged to check the security settings and change passwords of 
their home e-mail accounts because of recent targeting of personal e-mail accounts by online 
adversaries. Security guidelines have been posted on the DS/SI/CS Cyber Security Awareness 
web page: 
http://intranet.ds.state.sbu/DS/SI/CS/A wareness | /Content/Personal%20Email.aspx. 
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Securing Personal E-mail Accounts - Wikisource, the free online library Page 2 of 2 


2. Recently, Google asserted that online adversaries are targeting the personal Gmail accounts of 
U.S. government employees. Although the company believes it has taken appropriate steps to 
remediate identified activity, users should exercise caution and follow best practices in order to 
protect personal e-mail and prevent the compromise of government and personal information. 

, The DS/SI/CS Cyber Security Awareness web site contains guides to help secure the web-based 


e-mail accounts of users and their families. 
This information can be accessed at: 


http://intranet.ds.state.sbu/DS/SI/CS/A wareness | /Content/Personal%20Email.aspx. 
3. What can you and your family members do? 

a. Follow the personal e-mail guides posted on the Awareness site to change your password, 
to ensure that messages are not auto-forwarding to an unintended address, and to verify 
that other security settings are properly configured. 

b. Beware of e-mail messages that include links to password reset web pages. These can be 
easily faked. 

c. Create strong passwords for all of your online accounts, change them often, and never use 
the same password for more than one account. 

d. Avoid conducting official Department business from your personal e-mail accounts. 

e. Do not reveal your personal e-mail address in your work "Out of Office" message. 

f. Do not auto-forward Department e-mail to personal e-mail accounts, which is prohibited 
by Department policy (12 FAM 544.3). 

4. Questions regarding cyber security awareness should be addressed to awareness@state.gov 


CLINTON 


Retrieved from "https://en.wikisource.org/w/index.php?title=Securing_Personal_E-mail_Accounts&oldid=5282193" 


This work is in the public domain in the United States because it is a work of the United States 
federal government (see 17 U.S.C. 105). 


Categories: 2011 works | PD-USGov | United States | Washington, D.C. | Communications | Internet 
| United States Department of State | Computers 


= This page was last modified on 9 March 2015, at 22:07. 
=. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms 
may apply. By using this site, you agree to the Terms of Use and Privacy Policy. 
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From: 
29 PM 


Sent: Thursday, February 18, 2016 
To: ] 


Subject: : RE: Optiv 


Cool. Thanks., Someone looking to work there and was concerned. 


b6 
b7c 


PLATTE RIVER 


networks 
‘We bu2d better networks. Because yoar business devends oa 


Sent: Th February 18, 2016 4:18 PM bic 
To} 
Subject: RE: Optiv 


Fishnet used to be a smallish shop out of Kansas City, which grew to 500+ head count over the years, and prior to the 
merger. A lot of the tech talent and leadership bounced because their culture was now colonized by big corporate. 
Beyond that, I’ve not heard of any issues other than what you would expect from a merger... integration issues (with 
systems, processes, and culture). We have never done any work with them from a partner standpoint. 


| ay 3 bs 


Sent: Thursday, February 18, 2016 4:11 PM ; oe 
Tof . 


Subject: RE: Optiv 


Since their merger last year I’m hearing they are having lots of problems. 
Do you run into them ever? 
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Sent: Thursda ruary 18, A 
i eoorenema 
Subject: RE: Optiv 


Not sure what you are referencing... 


From: 


Sent: Thursday, February 18, 2016 3:45 PM. 
To 


Subject: Optiv 


What's up with Optiv? Are they tanking? What are you seeing? 


PLATTE RIVER 


netwo rks 
‘We build better networks: Becanse yor business depéods ea. 


fate | 
Ls 


fond Inc. 
Seeee Pall SOOO 
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From: 

Sent: Tuesday, February 02, 2016 9:06 PM 
To: 

Subject: FW: SnowFROC 2016 conference 
Attachments: SnowFROC16Promo.pptx 


See attached and below. Thought you might be interested. 
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From{ v6 
Se ry 02, 2016 7:10 PM b7C 
To: 

Subject: Snow! 016 conference 

wL_] 


Attached is info on the conference I'm putting on Feb 18th. It is at SecureSet. 3801 Franklin Street, Denver 
80205. 


If you know anyone who wants to sponsor that would be great. I've attached the sponsor forms and a slide with 
the info on it. ' 


Let me know if you want to come and I'll print up a complimentary badge for you. 


Thanks!! 
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From: | 


Sent: ‘ Tuesday, December 08, 2015 10:10 AM 
To: 
Subject: : RE: URGENT - spoofed email and wire... 


7 | be 
; b7C 

This is a common attack scenario. I’m a slow typer, but free to catch up by phone to discuss. | am free today from 11:30- 

2, or after 4:30 for a call. Please feel free to call whenever you have a moment. 


L_] 
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Fromf Ms 
° b7c 


Sent: Tuesday, December 08, 2015 9:28 AM 


ubject: U! - spoofed email and wire... 


Our client had an internal exec email spoofed and causing an inadvertent $25K wire going out. 


Can we ask for your advice on how to keep this from happening in the future. 


| have copied|___Jand{__Jvho are working on this for the client. Have you seen this before? b6é 
i b7c 
What do you recommend? 
Thanks! 
b6 
b7Cc 
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From: | 


Sent: 2 Monday, August 31, 2015 2:14 PM 
To: 


Subject: RE: Thoughts?? 


Finally quieted down once our Publicists got the facts out. 


Expect it to flare up a few more times than disappear. Yay! 
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nve tw fo cks 
“Webi beltor etwas Beecse je buses tipend ont 


a | Be 
Sent: Mon a | 31, 2015 2:04 PM Bue 


To; 
Subject: RE: Thoughts?? 


We may throw something together. Debating if we can pull it off. How’s the media shit storm treating you? 


~ bE 


From| 
Sent: Monday, August 31, 2015 12:20 PM pie 
Te 
Subject: FW: Thoughts?? 
b6 
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From{___| oe 


Sent: Monday, August 31, 2015 10:50 AM b7C 
Tol 
Sul : 


bject: Thoughts?? 


Not a whole lot of time....RFP due Sept 3° @ 


PLATTE RIVER 
363) RES 
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4 : Saturday, May 02, 2015 1:32 PM 
ce —— 


Subject: Re: Risk Assessment 


Perfect 
Thx 


Sent from my iPhone 


b7c 
Thanks for the emai{___|He left me a voicemail on Friday but | was traveling all day. | am planning on 
calling him on Monday. We routinely do risk assessments for our clients cyber reach insurance 
underwriting. Will keep you posted. . 


Thanks, 


! b7C 
Kf] 
Please see below. Can we make an introduction? 


Sent: Friday, May 01, 2015 12:54 PM BIS 
) es 

Cc: CRC 

Subject: Risk Assessment 


Hey guys — not sure where to go with this one. Just got a call fron[__________] bé 
aT are a CPA Firm downtown. They are looking into b7c 


getting Cyber Insurance and in order to do this they need a risk assessment done on 
their network by someone other than.their in house IT guy. They have 50 users. 


He was referred to us by the ALA and remembers meeting bout 3 years ago. 


ad 
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Gmail a 


b7c 
Re Clinton email 
7 messages ‘ 
Wed, Mar 11, 2015 at 10:13 AM 
7] 
. Ps - b6 
Hil It’ Wondering if u might be available for a live telephone interview this Saturday moming for our KNUS radio show. Want to talk about Hillary 
Clinton having Own Server from a cyber security point of view. We r thinking 8 am b7Cc 
i) a 
Sent from my IPhoneght 
Wed, Mar 11, 2015 at 12:53 PM 
To} 
Hey]! never miss the opportunity for a media appearance, But | think I'l definitely take a pass on this one. LOL 
b6 
b7c 
Begin forwarded message: 
From: 
Date: March 11, 2015 at 10:13:43 AM MDT 
To: 
Subject RE CUNtON erral 
: b6 
b7c 


Hit it]______] Wondering if u might be available for a live telephone interview this Saturday morning for our KNUS radio show. Want to talk about Hillary 


Clinton Ti from a cyber security point of view. We r thinking 8 am 
eo a 
‘Sent from my iPhoneght 


‘To: 7 


b7c 


Too funny 
Thanks for passing 


‘Sent from my iPhone 
[Quoted txt hdd} 


Hi thanks for reaching out to us but I will be out of the country until March 25, and will not be available in the meantime. Please keep in touch in the future as | 
truly appreciate the offer. 


Thanks{___| 


b6 
b7c 


[Quoted text hidden} 


“ b7c 


HRC-9082 


Thanks and enjoy your trip 


Is there anyone else with your company that you could recommend? 


Thanks, 
Tot ext hon) b6 
- b7C 
Thu, Mar 12, 2015 at 8:45 AM 
To: 
‘SecurityWeek.Com 
‘www. securityweek.com/clinton-email-server-vulnerable-3-months-venafi 
b6 
[vote ext haden) b7c 
Fri, Mar 13, 2015 at 9:27 AM 
To} 
Good thing we did not take over until after she left office in July of 2013 
From: b6é 
Sent: Thursday, March 12, 2015 7:46 AM b7c 


eee 
Subject: Re: Re Clinton email 


Quoted tex hidden] 
{Quoted text hidden] 
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Grail es i 


b7Cc 
FW: clinton's - please read - do we need to make these changes recommended? 
7 messages f 
Sat, Mar 7, 2015 at 4:16 PM b6 
ia b7c 


| 


Please read article below regarding cert for the Clinton’s Fortinet firewall. 


b6 
Is this surficient | Js working on this now. pie 
THANKS \ 

b6 

b7C 


b6 
b7C 


‘Subject: RE: clinton’s - please read - do we need to make these changes recommended? 


This only affects remote login ___—_—_—_—_—rnd nothing to do with the email/email server. ~ b4 


b6é 
b7C 


That being said, we may want tf _________pitogether. hat do you erin] Wewouldjustneedtof ____—_—_~fo manage 


it 


b6 
b7C 


fr Clinton's - please read - do we need to make these changes recommended? 


Clinton’s top aide during that period, Cheryl Mills, is a respected scandal-defense lawyer. As a member of the White 
House counsel's office, Mills helped guide President Bill Clinton through a series of investigations in the 1990s and 


won praise for her performance in successfully defending him when the Senate voted not to remove him from office in 


HRC-9084 


1999. 


Mills would go on to combine two of the most powerful posts at the State Department -- chief of staff and counselor -- 
under Hillary Clinton. In that job, she spoke for Clinton on management matters within the department. 


Mills didn’t reply to an e-mail seeking comment. 


' 
Not long after resigning as secretary of state, Clinton’s private e-mail service was transferred to a commercial provider, 
MX Logic, Devost said. 


’ “The timing makes sense,” Devost said: “When she left office and was no longer worried as much about control over 
her e-mails, she:moved to a system that was easier to administer.” 


It took less than.a day for researchers to find potential problems with the Clinton’s system. 


Using a scanning tool called Fierce that he developed, Robert Hansen, a web-application security specialist, found 
what he said were the addresses for Microsoft Outlook Web access server used by Clinton’s e-mail service, and the 
virtual private network used to download e-mail over an encrypted connection. If hackers located those links, they 
could search for weaknesses and intercept traffic, according to security experts. 


Factory Default 


Using those addresses, McGeorge discovered that the certificate appearing on the site Tuesday appeared to be the 
factory default for the security appliance, made by Fortinet Inc., running the service. 


Those defaults would normally be replaced by a unique certificate purchased for a few hundred dollars. By not taking 
that step, the system was vulnerable to hacking. 


It’s unclear whether the site’s settings were the same before news of the private e-mail account emerged this week. 
' : 
Fortinet issued a statement saying it wasn’t aware the company’s technologies were used by Clinton. 


“If they were, our recommendation is to replace provided self-signed certificates with valid digital certificates for the 
protected domains,” said Andrea Cousens, a Fortinet spokeswoman. 


“It may have fallen in the realm of acceptable risk,” Devost said. “They wanted to make sure that when she was in 
Egypt all of the traffic from her phone to the mail server was encrypted and that was their priority.” 
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in Washington at jrobertson40@bloomberg.net; Chris Strohm in Washington at cstrohm1@bloomberg.net 
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Recommendations for additional Cyber Security... 
1 message 


Sat, Mar 7, 2015 at 12:55 PM 


‘Some quick thoughts on/shoring up the defenses... The most likely scenario to play out would be your staff targeted with a phishing email, to either ask them for 
credentials to the local network, or asking them to click a link, which will install malware. Once malware is installed, keystrokes are logged to capture the LAN 
credentials. So we would definitely recommend an all-hands refresher ASAP on security awareness / social engineering vigilance. 


As for technical controls... 

- Implement 0-day protection on the perimeter (url fitering and malware sandboxing) 

= Monitor all access and failed attempts to access your network resources, and your client's resouirces. 

* Conduct vulnerability searing on your network to verily that patching was effective, should someone cick the link 


- You may also want to put any admins who work on the clients account, into their own isolated vian, should one of the other Piatte River employees get 
infected/compromised. 


- Confirm all vectors of access into the environments. 
Let me know if you would like to touch base by phone to discuss further. 
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Factsheets 


Updated: The Facts About Hillary Clinton’s Emails 


We've put all of the information about Hillary Clinton’s State Department emails here. Just the facts, all in 
one place. 


Why did Clinton use her own email account? 


When Clinton got to the Department, she opted to use her personal email account as a matter of 
convenience. It enabled her to reach people quickly and keep in regular touch with her family and friends 
more easily given her travel schedule. 


That is the only reason she used her own account. 


Her usage was widely known to the over 100 State Department and U.S. government colleagues she emailed, 
consistent with the practice of prior Secretaries of State and permitted at the time. 


As Clinton has said, in hindsight, it would have been better to just have two accounts. While she thought 
using one account would be easier, obviously, that has not been the case. 


Was it allowed? 


Yes. The laws, regulations, and State Department policy in place during her tenure permitted her to use a 
non-government email for work. 


The 2009 National Archives regulation in place during her tenure required that "[a]gencies that allow 
employees to send and receive official electronic mail messages using a system not operated by the agency 
must ensure that Federal records sent or received on such systems are preserved in the appropriate agency 
recordkeeping system.” The regulation recognizes the use of non-government email accounts. 
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As she has stated, Clinton's practice was to email government officials on their ".gov" accounts, so her work 
emails were immediately captured and preserved. In fact, more than 90% of those emails should have 
already been captured in the State Department's email system before she provided them with paper copies. 


A Politifact analysis also confirmed that Clinton's practices complied with laws and regulations, including 
support from the former director of a prominent government accountability organization: "In Clinton's 
defense, we should note that it was only after Clinton left the State Department, that the National Archives 
issued a recommendation that government employees should avoid conducting official business on personal 
emails (though they noted there might be extenuating circumstances such as an emergency that require it). 
Additionally, in 2014, President Barack Obama signed changes to the Federal Records Act that explicitly said 
federal officials can only use personal email addresses if they also copy or send the emails to their official 
account. Because these rules weren't in effect when Clinton was in office, 'she was in compliance with the 
laws and regulations at the time,’ said Gary Bass, founder and former director of OMB Watch, a government 
accountability organization." 


Clinton said she did not use her email to send or receive classified information, but the State 
Department and two Inspectors General said some of these emails do contain classified 
information. Was her statement inaccurate? 


Clinton only used her account for unclassified email. No information in Clinton‘ 's emails was marked 


classified at the time she sent or received them. 
rd 


When information is reviewed for public release, it is common for information previously unclassified to be 
upgraded to classified if the State Department or another agency believes its public release could cause 
potential harm to national security, law enforcement or diplomatic relations. 


After reviewing a sampling of the 55,000 pages of emails, the Inspectors General have proffered that a small 
number of emails, which did not contain any classified markings and/or dissemination controls, should have 
been classified at the time they were sent. The State Department has said it disagrees with this assessment. 


Clinton hopes the State Department and the agencies involved in the review process will sort out as quickly 
as possible, which of the 55,000 pages of emails are appropriate to share with the public. 


How did Clinton receive and consume classified information? 


The Secretary's office was located in a secure area. Classified information was viewed in hard copy by Clinton 
while in the office. While on travel, the State Department had rigorous protocols for her and traveling staff to 
receive and transmit information of all types. 


A separate; closed email system was used by the State Department for the purpose of handling classified 
communications, which was designed to prevent such information from being transmitted anywhere other 
than within that system. 


Is Department of Justice conducting a criminal inquiry into Clinton’s email use? 


No. As the Department of Justice and Inspectors General made clear, the IGs made a security referral. This 
was not criminal in nature as misreported by some in the press. The Department of Justice is now seeking 
assurances about the storage of materials related to Clinton’s email account. 


Is it true that her email server and a thumb drive were recently turned over to the 
government? Why? 


Again, when information is reviewed for public release, it is common for information previously unclassified 
to be upgraded to classified if the State Department or another agency believes its public release could cause 
potential harm to national security, law enforcement or diplomatic relations. 
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Clinton hopes that State and the other agencies involved in the review process will sort out as quickly as. 
possible which emails are appropriate to share with the public, and that the release will be as timely and as 
transparent as possible. 


When the Department upgraded some of the previously unclassified email to classified, her team worked 
with the State Department to ensure copies of her emails were stored in a safe and secure manner. She also 
directed her team to give her server that hosted her email account while she was Secretary to the Department 
of Justice, as well as a thumb drive containing copies of her emails that already had been provided to the 
State Department. Clinton has pledged to cooperate with the government's security inquiry. 

i 


Would this issue not have arisen if she used a state.gov email address? 


Even if Clinton's emails had been on a government email address and government device, these questions 
would be raised prior to public release. 


While the State Department's review of her 55,000 emails brought the issue to the Inspectors Generals’ 
attentions, the emails that recently were upgraded to classified prior to public release were on the 
unclassified .gov email system. They were not on the separate, closed system used by State Department for 
handling classified communications. 


Have Clinton's State Department aides also been asked to provide the Department and 
Congress with emails from their personal accounts? 


We understand that members of her State Department staff were recently asked to assist the Department in 
its record-keeping by providing any work-related emails they may have on personal accounts. They have 
received requests from Rep. Gowdy as well. 


Clinton is proud of the work of all the dedicated public servants that were part of her team at the State 
Department. She was proud of her aides then and is proud of them now, as they have committed - as she has 
- to being as helpful as possible in responding to requests. 


Press reports say she used multiple devices — a Blackberry and an iPad — is that true? 


Clinton relied on her Blackberry for emailing. This was easiest for her. When the iPad came out in 2010, she 
was as curious as others and found it great for shopping, browsing, and reading articles when she traveled. 
She also had access to her email account on her iPad and sometimes used it for that too. 


Was she ever provided guidance about her use of a non-".gov" email account? 


The State Department has and did provide guidance regarding the need to preserve federal records. To 
address these requirements, it was her practice to email government employees on their ".gov" email 
address. That way, work emails would be immediately captured and preserved in government record-keeping 
systems. 


What did Clinton provide to the State Department? 


On December 5, 2014, 30,490 copies of work or potentially work-related emails sent and received by Clinton 
from March 18, 2009, to February 1, 2013, were provided to the State Department. This totaled roughly 
55,000 pages. More than 90% of her work or potentially work-related emails provided to the Department 
were already in the State Department's record-keeping system because those e-mails were sent to or received 
by "state.gov" accounts. ? 


Early in her term, Clinton continued using an att.blackberry.net account that she had used during her Senate 
service. Given her practice from the beginning of emailing State Department officials on their state.gov 
accounts, her work-related emails during these initial weeks would have been captured and preserved in the 
State Department's record-keeping system. She, however, no longer had access to these emails once she 
transitioned from this account. 
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Why did the Select Committee announce that she used multiple email addresses during her 
tenure? . 


In fairness to the Committee, this was an honest misunderstanding. Clinton used one email account during 
her tenure at State (with the exception of her initial weeks in office while transitioning from an email account 
she had previously used). In March 2013, a month after she left the Department, Gawker published the email 
address she used while Secretary, and so she had to change the address on her account. 


At the time the printed copies were provided to the Department in 2014, because it was the same account, 
the new email address established after she left office appeared on the printed copies as the sender, and not 
the address she used as Secretary. In fact, this address on the account did not exist until March 2013. This led 
to understandable confusion that was cleared up directly with the Committee after its press conference. 


Why didn't Clinton provide her emails to the State Department until December 2014? 


In 2014, after recognizing potential gaps in its overall recordkeeping system, the State Department asked for 
the help of the four previous former Secretaries in meeting the State Department's obligations under the 
Federal Records Act. 


Clinton responded to this request by providing the State Department with over 55,000 pages of emails. As it 
was Clinton's practice to email U.S. government officials on their .gov accounts, the overwhelming majority 
of these emails should have already been preserved in the State Department's email system. 


In providing these emails to the Department, Clinton included all she had that were even potentially work- 
related—including emails about using a fax machine or asking for iced tea during a meeting—erring on the 
side of over-inclusion, as confirmed by the Department and National Archives’ determination that over 1250 
emails were "personal" records (which they have indicated will be returned to her). 


After providing her work and potentially work-related emails, she chose not to keep her personal, non-work 
related emails, which by definition, are not federal records and were not requested by the Department or 
anyone else. 


Why did the State Department ask for assistance in collecting records? Why did the State 
Department need assistance in further meeting its requirements under the Federal Records 
Act? 


The State Department formally requested the assistance of the four previous former Secretaries in a letter to 
their representatives dated October 28, 2014, to help in further meeting the Department’s requirements 
under the Federal Records Act. 


The letter stated that in September 2013, the National Archives and Records Administration (NARA) issued 
new guidance clarifying records management responsibilities regarding the use of personal email accounts 
for government business. 


While this guidance was issued after all four former Secretaries had departed office, the Department decided 
to ensure its records were as complete as possible and sought copies of work emails sent or received by the 
Secretaries on their own accounts. 


Why did Clinton decide not to keep her personal emails? 


As Clinton has said before, these were private, personal messages, including emails about her daughter's 
wedding plans, her mother's funeral services and condolence notes, as well as emails on family vacations, 
yoga routines, and other items one would typically find in their own email account, such as offers from 
retailers, spam, etc. 


Did Clinton delete any emails while facing a subpoena? 
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No. As noted, the emails that Clinton chose not to keep were personal emails—they were not federal records 
or even work-related—and therefore were not subject to any preservation obligation under the Federal 
Records Act or any request. Nor would they have been subject to the subpoena—which did not exist at the 
time—that was issued by the Benghazi Select Committee some three months later. 


Rep. Gowdy's subpoena issued in March 2015 did not seek, and had nothing to do with, her personal, non- 
work emails nor her server nor the request by State Department last year for her help in their own record- 
keeping. Indeed in his March 19th letter, Rep. Gowdy expressly stated he was not seeking any emails that 
were "purely personal in nature." 


In March 2015, when Rep. Gowdy issued a subpoena to Clinton, the State Department had received all of 
Clinton's work-related emails in response to their 2014 request, and indeed, had already provided Clinton's 
relevant emails to Rep. Gowdy’s committee. 


Rep. Gowdy, other Republicans, and some members of the media have seized on a CNN interview with 
Clinton to question her on this point. Rep. Gowdy has even gone so far as to say Clinton is lying. But he and 
the others are clearly mistaken. 


As Vox reported, "[S}he didn't lie about the subpoena. ... Clinton clearly wasn't responding to the question of 
whether she'd ever been subpoenaed by the Benghazi Committee but whether she'd been subpoenaed before 
she wiped the emails from her server.” Additionally, Factcheck.org said in its analysis, "Clinton's denial came 
in response to a question about deleting emails 'while facing a subpoena,’ and Clinton objected to Keilar's 
‘assumption.’ Clinton’s campaign said that the emails were deleted before she received the subpoena and that 
was the point Clinton was making." Politifact added, "Suggesting that Clinton deleted emails while facing a 
subpoena contradicts what we know about the controversy so far.” 


Vox went on to further decry Rep. Gowdy’s reaction, saying, "[T]his one's a particularly absurd gimmick, 
even for a committee that is selectively leaking from depositions and documents to justify its existence. If 
there was a more extreme category of dissembling than ‘pants on fire,’ now would be the time for Politifact to 
roll it out on the House Republicans.” 


Why was the State Department given printed copies? 


That is the requirement. The instructions regarding electronic mail in the Foreign Affairs Manual (the 
Department's policy manual) require that "until technology allowing archival capabilities for long-term 
electronic storage and retrieval of email messages is available and installed, those messages warranting 
preservation as records (for periods longer than current E-mail systems routinely maintain them) must be 
printed out and filed with related records.” [5 FAM 443.3]. 


Were any work items deleted in the course of producing the printed copies? 
No. 


How many emails were in her account? And how many of those were provided to the State 


Department? 


Her email account contained a total of 62,320 sent and received emails from March 2009 to February 2013. ‘ 
Based on the review process described below, 30,490 of these emails were provided to the Department, and 
the remaining 31,830 were private, personal records. 


f 
How and who decided what should be provided to the State Department? 


The Federal Records Act puts the obligation on the government official to determine what is and is not a 
federal record. The State Department Foreign Affairs Manual outlines guidance "designed to help employees 
determine which of their e-mail messages must be preserved as federal records and which may be deleted 
without further authorization because they are not Federal record materials." [5 FAM 443.1(c)]. 
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Following conversations with State Department officials and in response to the State Department's 2014 
letter to former Secretaries, Clinton directed her attorneys to assist by identifying and preserving all emails 
that could potentially be federal records. This entailed a multi-step process to review each email and provide 
printed copies of Clinton's emails to the State Department, erring on the side of including anything that 
might be even potentially work-related. 


Asearch was conducted on Clinton's email account for all emails sent and received from 2009 to her last day 
in office, February 1, 2013. 


After this universe was determined, a search was conducted for a ".gov" (not just state.gov) in any address 
field in an email. This produced over 27,500 emails, representing more than 90% of the 30,490 printed 
copies that were provided to the State Department. 


To help identify any potential non-".gov" correspondence that should be included, a search of first and last 
names of more than 100 State Department and other U.S. government officials was performed. This included 
all Deputy Secretaries, Under Secretaries, Assistant Secretaries, Ambassadors-at-Large, Special 
Representatives and Envoys, members of the Secretary's Foreign Policy Advisory Board, and other senior 
officials to the Secretary, including close aides and staff. 


Next, to account for non-obvious or non-recognizable email addresses or misspellings or other 
idiosyncrasies, the emails were sorted and reviewed both by sender and recipient. 


Lastly, a number of terms were specifically searched for, including: "Benghazi" and "Libya." 


These additional three steps yielded just over another 2,900 emails, including emails from former 
Administration officials and long-time friends that may not be deemed by the State Department to be federal 
records. And hundreds of these emails actually had already been forwarded onto the state.gov system and 
captured in real-time. 


With respect to materials that the Select Committee has requested, the State Department has stated that just 
under 300 emails related to Libya were provided by the State Department to the Select Committee in 
response to a November 2014 letter, which contained a broader request for materials than prior requests 
from the House Oversight and Government Reform Committee. 


Given Clinton's practice of emailing State Department officials on their state.gov addresses, the State 
Department already had, and had already provided, the Select Committee with emails from Clinton in August 
2014 — prior to requesting and receiving printed copies of her emails. 


The review-process described above confirmed Clinton's practice of emailing State Department officials on 
their .gov address, with the vast majority of the printed copies of work-related emails Clinton provided to the 
State Department simply duplicating what was already captured in the State Department's record-keeping 
system in real time. 


Did Clinton use this account to communicate with foreign officials? 


During her‘time at State, she communicated with foreign officials in person, through correspondence, and by 
telephone. The review of all of her emails revealed only one email with a foreign (UK) official. 


Did she withhold any work emails? What about the 15 emails that Sid Blumenthal provided 
to the Select Committee that she did not provide to the State Department? 


She provided the State Department with all work and potentially work-related emails that she had, including 
all of her correspondence with Sid Blumenthal. We understand that Mr. Blumenthal had some emails that 
Clinton did not have, and Clinton had some emails that Mr. Blumenthal did not have, but it is important to 
note that none of those emails provide any new insights on the attack on our facilities in Benghazi. 


Do you think a third party should have been allowed to review what was turned over to the 
State Department, as well as the remainder that was not? 
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The Federal Records Act puts the obligation on the government official, not the agency or a third party, to 
determine what is and is not a federal record. The State Department Foreign Affairs Manual outlines 
guidance "designed to help employees detérmine which of their e-mail messages must be preserved as 
federal records and which may be deleted without further authorization because they are not Federal record 
materials." [5 FAM 443.1(c)]. 


Clinton responded to the State Department's request by providing approximately 55,000 pages of her work 
and potentially work-related emails. She has also taken the unprecedented step of asking that those emails be 
made public. In doing so, she has sought to support the State Department's efforts, fulfill her responsibility of 
record-keeping, and provide the chance for the public to assess the work she and officials at the State 
Department did during her tenure. 


After her work-related emails were identified and preserved, Clinton chose not to keep her private, personal 
emails that were not federal records, including emails about her daughter's wedding plans, her mother's 
funeral service, family vacations, etc. 


1 a 8. rae fi 
Government officials are granted the privacy of their personal, non-work related emails, including personal 
emails on .gov accounts. Clinton exercised her privilege to ensure the continued privacy of her personal, non- 
work related emails. 


Can't she release the emails she provided to the State Department herself? 


Because the printed copies of work-related emails she provided to the State Department include federal 
records of the Department, the Department needs to review these emails before they can be made public. She 
called for them to be made available as soon as possible, and is glad to see the Department has begun 
releasing them. 


Some of the emails released show Clinton emailed aides at times on their personal, rather 
than .gov accounts. Was she trying to hide these communications? 


As Clinton has said before, it was her practice to email U.S. government officials on their .gov accounts if it 
was work-related. This is evidenced in the emails released so far. In reviewing her emails in 2014, there was a 
fraction of emails with work-related information sent to U.S. government officials’ personal accounts, and 
those were provided to the State Department. The overwhelming majority of her work-related emails were 

to .gov accounts. 


Where was the server for her email located? 
The server for her email was physically located on her property, which is protected by U.S. Secret Service. 
What level of encryption was employed? Who was the service provider? 


The security and integrity of her family's electronic communications was taken seriously from the onset when 
it was first set up for President Clinton's team. While the curiosity about the specifics of this set up is 
understandable, given what people with ill intentions can do with such information in this day and age, there 
are concerns about broadcasting specific technical details about past and current practices. Suffice it to say, 
robust protections were put in place and additional upgrades and techniques employed over time as they 
became available, including consulting and employing third party experts. 


Was the server ever hacked? 
No, there is no evidence there was ever a breach. 


Was there ever an unauthorized intrusion into her email or did anyone else have access to 
it? i 


No. 
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What was done after her email was exposed in February 2013 after the hacker known as 
"Guccifer" hacked Sid Blumenthal’s account? 


While this was not a breach of Clinton's account, because her email address was exposed, steps were taken at 
that time to ensure the security and integrity of her electronic communications, including changing her email 
address. 


Was the State Department able to respond to requests related to FOIA or Congressional 
requests before they received printed copies of her work-related emails? 


Yes, As the Select Committee has said, the State Department provided the Committee with relevant emails it 
already had on the state.gov system before the State Department requested any printed copies from former 
Secretaries, and four months before the State Department received the printed copies. 


For example, in the well-publicized hack of Sid Blumenthal's email account, a note he sent Clinton on 
September 12, 2012, was posted online. At first blush, one might not think this exchange would be captured 
on the state.gov system. But in fact, Clinton forwarded the email, that very same day, onto the state.gov 
system. And the email was produced by the State Department to the Select Committee, and acknowledged by 
the Select Committee, in August 2014. 


This example illustrates: 1) when an email from a non-".gov" sender had some connection to work or might 
add to the understanding of State Department officials, it was Clinton’s practice to forward it to officials at 
their "state.gov" address; and 2) the State Department was able to search and produce Clinton’s emails when 
needed long before, and unrelated to, receiving the printed copies as they were already captured on state.gov 


accounts. 
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Romanian hacker Guccifer: | breached Clinton server, ‘it was 
easy' 


By Catherine Herridge, Pamela K. Browne 


TyPrint @ctose 


Published May 04, 2016 


FoxNews.com 
EXCLUSIVE: The infamous Romanian hacker known as “Guccifer,” speaking exclusively with Fox News, claimed he easily — and 
repeatedly ~ breached former Secretary of State Hillary Clinton's personal email server in early 2013, 


“For me, it was easy ... easy for me, for everybody,” Marcel Lehel Lazar, who goes by the moniker "Guccifer,” told Fox News from a 
Virginia jail where he is being held. 


Guceifer’s potential role in the Clinton email investigation was first reported by Fox News last month. The hacker subsequently 
claimed he was able to access the server — and provided extensive details about how he did it and what he found — over the course 
of a half-hour jailhouse interview and a series of recorded phone calls with Fox News. 


Fox News could not independently confirm Lazar's claims. 


In response to Lazar's claims, the Clinton campaign issued a statement Wednesday night saying, "There is absolutely no basis to 
believe the claims made by this criminal from his prison cell. In addition to the fact he offers no proof to support his claims, his 
descriptions of Secretary Clinton's server are inaccurate. It is unfathomable that he would have gained access to her emails and not 
leaked them the way he did to his other victims.” 


The former secretary of state's server held nearly 2,200 emails containing information now deemed classified, and another 22 at the 
“Top Secret’ level. 


2016 Election Headquarters 
The latest headlines on the 2016 elections from the biggest name in politics. See Latest Coverage —+ 


The 44-year-old Lazar said he first compromised Clinton confidant Sidney Blum: JL account, in March 2013, and used that 
as a stepping stone to the Clinton server. He said he accessed Clinton's se ike wiceD igh he described the contents as 
“not interestfing]" to him at the time. 


“Iwas not paying attention. For me, it was not like the Hillary Clinton server, it was like an email server she and others were using 
with political voting stuff,” Guccifer said. 


‘The hacker spoke freely with Fox News from the detention center in Alexandria, Va., where he's been held since his extradition to 
the U.S. on federal charges relating to other alleged cyber-crimes. Wearing a green jumpsuit, Lazar was relaxed and polite in the 
monitored secure visitor center, separated by thick security glass. 


In describing the process, Lazar said he did extensive research on the web and then guessed Blumenthal's security question. Once 
inside Blumenthal’s account, Lazar said he saw dozens of messages from the Clinton email address. 


Asked if he was curious about the address, Lazar merely smiled. Asked if he used the same security question approach to access 
the Clinton emails, he said no — then described how he allegedly got inside. 


“For example, when Sidney Blumenthal got an email, | checked the email pattem from Hillary Clinton, from Colin Powell from 
anyone else to find out the originating IP. ... When they send a letter, the email header is the originating IP usually," Lazar 
explained. 


He said, “then I scanned with an IP scanner." 
Lazar emphasized that he used readily available web programs to see if the server was “alive” and which ports were open. Lazar 
identified programs like netscan, Netmap, Wireshark and Angry IP, though it was not possible to confirm independently which, if 


any, he used. 


In the process of mining data from the Blumenthal account, Lazar said he came across evidence that others were on the Clinton 
server. 
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“As far as | remember, yes, there were ... up to 10, like, IPs from other parts of the world,” he.said. 
With no forma! computer training, he did most of his hacking from a small Romanian village. 
Lazar said he chose to use “proxy servers in Russia,” describing them as the best, providing anonymity. 


Cyber experts who spoke with Fox News said the process Lazar described is plausible. The federal indictment Lazar faces in the 
US. for cyber-crimes specifically alleges he used “a proxy server located in Russia” for the Blumenthal compromise. 


Each Intemet Protocol (IP) address has a unique numeric code, like a phone number or home address. The Democratic 
presidential front-runner's home-brew private server was reportedly installed in her home in Chappaqua, N.Y., and used for all U.S. 
government business during her term as secretary of state. 


Former State Department IT staffer Bryan Pagliano, who installed and maintained the server, has been granted immunity by the 
Department of Justice and is cooperating with the FBI in its ongoing criminal investigation into Clinton's use of the private server. An 
intelligence source told Fox News last month that Lazar also could help the FBI make the case that Clinton's email server may have 
been compromised by a third party. 


Asked what he would say to those skeptical of his claims, Lazar cited “the evidence you can find in the Guccifer archives as far as | 
can remember.” 


‘Writing under his alias Guccifer, Lazar released to media outlets in March 2013 multiple exchanges between Blumenthal and 
Clinton. They were first reported by the Smoking Gun. 


It was through the Blumenthal compromise that the Clintonemail.com accounts were first publicly revealed. 


‘As recently as this week, Clinton said neither she nor her aides had been contacted by the FBI about the criminal 
investigation. Asked whether the server had been compromised by foreign hackers, she told MSNBC on Tuesday, “No, not at all.” 


Recently extradited, Lazar faces trial Sept. 12 in the Eastern District of Virginia. He has pleaded not guilty to a nine-count federal 
indictment for his alleged hacking crimes in the U.S. Victims are not named in the indictment but reportedly include Colin Powell, a 
member of the Bush family and others including Blumenthal. 


Lazar spoke extensively about Blumenthal's account, noting his emails were “interesting” and had information about “the Middle 
East and what they were doing there.” 


Atter first writing to the accused hacker on April 19, Fox News accepted two collect calls from him, over a seven-day period, before 
‘meeting with him in person at the jail. During these early phone calls, Lazar was more guarded. 


After the detention center meeting, Fox News conducted additional interviews by phone and, with Lazar's permission, recorded 
them for broadcast. 


While Lazar's claims cannot be independently verified, three computer security specialists, including two former senior intelligence 
officials, said the process described is plausible and the Clinton server, now in FBI custody, may have an electronic record that 
would confirm or disprove Guccifer’s claims. 


“This sounds like the classic attack of the ate 1990s. A smart individual who knows the tools and the technology and is looking for 
glaring weaknesses in Internet-connected devices,” Bob Gourley, a former chief technology officer (CTO) for the Defense 
Intelligence Agency, said 


Gourley, who has worked in cybersecurity for more than two decades, said the programs cited to access the server can be dual 
purpose. “These programs are used by security professionals to make sure systems are configured appropriately. Hackers will look 
‘and see what the gaps are, and focus their energies on penetrating a system,” he said. 


Cybersecurity expert Morgan Wright observed, "The Blumenthal account gave [Lazar] a road map to get to the Clinton server. 
You get a foothold in one system. You get intelligence from that system, and then you start to move.” 


In March, the New York Times reported the Clinton server security logs showed no evidence of a breach. On whether the Clinton 
security logs would show a compromise, Wright made the comparison to a bank heist: “Let's say only one camera was on in the 
bank, If you don't have them alll on, or the right one in the right locations, you won't see what you are looking for.” 


Gourley said the logs may not tell the whole story and the hard drives, three years after the fact, may not have a lot of related data 
left. He also warned: "Unfortunately, in this community, a lot people make up stories and it's hard to tell what's really true until you 
get into the forensics information and get hard facts.” 


HRC-9107 
http://www. foxnews.com/politics/2016/05/04/romanian-hacker-guccifer-breached-clinton-... 5/10/2016 


‘Romanian hacker Guccifer: I breached Clinton server, ‘it was easy' | Fox News Page 3 of 3 


For Lazar, a plea agreement where he cooperates in exchange for a reduced sentence would be advantageous. He told Fox News 
he has nothing to hide and wants to cooperate with the U.S. government, adding that he has hidden two gigabytes of data that is 
“too hot" and ‘it is a matter of national security.” . 

In early April, at the time of Lazar's extradition from a Romanian prison where he already was serving a seven-year sentence for 
cyber-crimes, a former senior FBI official said the timing was striking. 


“Because of the proximity to Sidney Blumenthal and the activity involving Hillary's emails, {the timing] seems to be something 
beyond curious,” said Ron Hosko, former assistant director of the FBI's Criminal Investigative Division from 2012-2014. 


‘The FBI offered no statement to Fox News. 


Catherine Herridge is an award-winning Chief Intelligence correspondent for FOX News Channel (FNC) based in Washington, D.C. 
She covers intelligence, the Justice Department and the Department of Homeland Security. Herridge joined FNC in 1996 as 
London-based correspondent. # 


Pamela K. Browne is Senior Executive Producer at the FOX News Channel (FNC) and is Director of Long-Form Series and 


‘Specials. Her journalism has been recognized with several awards. Browne first joined FOX in 1997 to launch the news magazine 
“Fox Files” and later, “War Stories.” 
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Romanian hacker who claims he breached Clinton server 
says he spoke with FBI at length 


By Catherine Herridge, Pamela K. Browne 


Published May 07, 2016 


FoxNews.com 
EXCLUSIVE: The Romanian hacker who says he easily breached Hillary Clinton's personal email server also claimed, in a series 
of interviews with Fox News, that he spoke with the FBI at length on the plane when extradited from Romania to Virginia last month. 


“They came after me, a guy from the FBI, from the State Department,” 44-year-old Marcel Lehel Lazar, who goes by the moniker 
"Guccifer,” told Fox News during a jailhouse phone interview. He said the conversation was "80 minutes ... recorded,” and he took 
his own notes. 3 


‘A goverment source confirmed that the hacker had a lot to say on the plane but provided no other details. Lazar was flown to the 
U.S. to face separate cyber-crime charges. 


In addition to the apparent conversation with the FBI on the plane, Fox News has leamed a meeting was expected as early as this 
week at the Alexandria, Va., detention center where he's being held involving Guccifer, the FBI, the U.S. attomey and the 
defendant's court-appointed lawyer. 


These officials have not commented on his clams or detention. 


An intelligence source close to the investigation, speaking with Fox News last month, questioned the timing of Lazar's extradition to 
the U.S., coming amid the Clinton email probe. As for what was discussed on that plane, Lazar said he told a State Department 
representative on the plane about "hot" data, some of which was hidden in Google drives, and other data that was too sensitive and 
deleted. The hacker, who offered no proof for his claims, said cryptically that he could not say more. 


“1 can't tell [you] now. | can't tell because I want to talk to the FBI. It is a matter of national security. Yeah," he said. Pressed by Fox 
News, Lazar seemed to indicate the data was not connected to the ongoing FBI criminal probe of Clinton's server. 


Fox News recently met with Lazar in the secure visitor center in Alexandria, then followed up with a series of phone calls which he 
gave permission to be recorded. Separated by reinforced glass, Lazar was polite and methodical as he explained how he allegedly 
accessed the Clinton server in early 2013, by using her longtime confidant Sidney Blumenthal's AOL account as a stepping stone. 


Fox News was first to report the hacker's claims of accessing the Clinton server, which he said “was easy.” . 


Lazar said he got into the Blumenthal account by correctly guessing his security question, after doing extensive research on the 
web. He said his hacking always followed a “four step process”: identify the target, do extensive web research on the target, access 
the target's account to harvest data, and send it out to the media. 


Lazar said he was puzzled by the American media. He said he sent the Blumenthal emails, which is how the Clintonemail.com 
account first came to light, to many large news organizations in 2013, and it was The Smoking Gun that picked it up. Lazar said he 
started his "Guccifer archive," releasing materials in October and November 2012, and it ended “like August 2013.” 


Three cybersecurity experts said they found Lazar's explanation for accessing the Clinton server plausible but had questions. 


Cybersecurity expert Morgan Wright explained how the FBI could marry up available evidence, including forensics or the 
configuration of the server and its folders, to assess his claims. “So we're going to map these things together, and if those things 
match up together, they're going to say ‘yes, this was compromised,’ then it means it was open to other people to compromise as 
well,” he said. 


Since Fox News reported on Guecifer's claims Wednesday, anonymous sources have reported that a review of the Ciinton hard 
drives does not appear to indicate a breach. However, Wright and other experts wamed that Clinton IT specialist Sryan Pagliano 
was the server's administrator and not principally a cybersecurity specialist - and may not have installed an adequate detection 
system for a Cabinet secretary's email. 


“If you have a bank and you have one video camera when you need 20, then you missed it,” Wright said. “If they weren't capturing 
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all the activity, their security logs may say they didn't see anything.” 


Asked about Lazar's claims at Thursday's press briefing, State Department spokesman Mark Toner also said he’s not aware of 
such an incident. 


“We don't have any reason to believe that it might be true,” he said. 


At the same time, Toner repeatedly stressed he did not want to comment on-the security of the server, citing ongoing investigations. 
Asked if he’s in a position to even know whether Lazar's claims are true, Toner again said he did not want to comment. The Clinton 
campaign has rejected Lazar's claims, calling them “baseless” and emphasizing he is a convicted hacker. 


Other cyber specialists like Bob Gourley with Cognitio wamed there will “always be uncertainty and ambiguity’ with hackers like 
Guccifer. But he said: “One thing | would say with certainty however - if this computer were in a well-managed facility, where 
everything was being monitored and watched, we would have more information and ground truth." 


Catherine Herridge is an award-winning Chief intelligence correspondent for FOX News Channel (FNC) based in Washington, D.C. 
‘She covers intelligence, the Justice Department and the Department of Homeland Security. Herridge joined FNC in 1996 as a 
London-based correspondent. 


Pamela K. Browne is Senior Executive Producer at the FOX News Channel (FNC) and is Director of Long-Form Series and 


Specials. Her journalism has been recognized with several awards. Browne first joined FOX in 1997 to launch the news magazine 
“Fox Files” and later, “War Stories.” 
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“SECRET//ROFORN 
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FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U) Subfile Opening Document Date: 10/08/2015 


ce: 


From: WASHINGTON FIELD 
WF-CI13 : 


“A 


Case ID #: L_sé&#F IER (S7 BY) MIDYEAR EXAM; 


MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U) To open a FILTER Subfile for material related to Filter 
process. 


Derived 
Sources 
classify On: 20401 


Details: 


To open a FILTER subfile for relevant information associated with the 
Filter process in captioned investigation. 
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SECRET/ANOFORN 
FEDERAL BUREAU OF INVESTIGATION 


Title: (U//FOUe) To memorialize the Finalized Filter Team Memorandum 
from the Department of Justice 


Date: 11/23/15 
To: Washington Field 


From: Washington Field 
CI-12 


Case 1D #: (See) [T SSC*iS FILTER ~ 2 


(0) BAAEY MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//f886) To memorialize the Filter Team Memorandum dated 
October 28, 2015 provided by the U.S. Department of Justice National 
Security Division. 


Enclosure(s): Enclosed are the following items: 

1. (U//Fe8O) Filter Team Memorandum dated 10/08/2015, and 

2. (U//FO8O) Filter Team:Memorandum with Attachment A dated 
10/28/2015. 


Clas By: F53M23K80 
Derived From: ted 20130301 
Declassi : 20401231 


Details: (U//FOUG) On October 8, 2015, the U.S. Department of Justice 
(DOJ) National Security Division, C i i Export 
Control Section (CES) Trial Attorney provided 
the FBI Filter Team with the enclosed copy of the Filter Team 
Instructions, dated the same. The Filter Team Instructions' 
Attachment A (Search Terms) had not yet been finalized at this time. 
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(U//F688) On October 8, 2015,L_ sid reviewed the Filter Team ee 


Instructions with the Filter Team members. The Filter Team 


consisted of the following individuals from Washington Field Office 
z Special Agent (sa) (—____] sa 
eT amen Analyt (IA) ‘TA 


and IA the following attorney from 


,Headquarters (FBIHQ) National Security Law Branch (NSLB): 
Assistant General Counsel ; and Operational 


Technology Division (OTD) Information Technology Specialist / 


Forensic Examiner Also present for the duration 
of the briefing were WFO Assistant Special Age i AC) 
Peter P. Strzok, Supervisory Special Agent (SSA and 


FBIHQ Counterintelligence Division Assistant Section Chief (ASC) 
Jonathan Moffa. 


(U//FO8O) On October 28, 2015,[.___] provided the FBI Filter bé 
Team with the enclosed final version of the Filter Team Instructions, b7c 
dated the same. The finalized version contains an additional 

attachment (Attachment A (Search Terms)). 
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“SECRET/ANOFORN 


FEDERAL BUREAU OF INVESTIGATION 


Title: (U//FO¥O) To memorialize the Addendum to the Filter Team 
Memorandum from the Department of Justice 


Date: 04/01/16 

To: Washington Field 
From: Washington Field 
: CI-12 


(0) TS 4A) MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//FOBS) To memorialize the Addendum to the Filter Team 
Memorandum for Unallocated Space dated January 22, 2016 provided by 
the U.S. Department of Justice National Security Division. 


Enclosure(s): Enclosed is the following item: 
1. (U//PEBC) Filter Team Memorandum dated 01/22/2016 


: F53M23K80 
dated 20130301 


20411231 


Details: (U//PO8e) On January 22, 2016, the U.S. Department of 
Justice (DOJ) National Security Division, ¢ i i 

Export Control Section (CES) Trial Attorney 

provided the FBI Filter Team with the enclose Copy oO e endum 
to Filter Team Instructions Regarding Unallocated Space, dated the 
same. 


(U//FO8O) The Addendum changes were reviewed with the Filter Team 
on February 1, 2016 by FBI Headquarters (F i rity 
Law Branch (NSLB) Assistant General Counsel The 
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b6 
Addendum_was also briefed to the Investigative Team on February 4, Rei 
2016 by . 
(U//Fe@8e) On March 24, 2016, reviewed the collective bé 
Filter Team Instructions with new Filter Team members. The new Filter pie 


Team members consisted of the following individuals from Washingt 
Field Office (WFQ): Speci t (SA) | 
and SA . 


oe 


HRC-9147 


b7c 


HRC-9148, 


DECLASSIFIED BY: NSICG J37385T94 


ON 10-13-2017 @ @ 


(Rev. 05-01-2008) 


“SECRET//NOFORN 
FEDERAL BUREAU OF INVESTIGATION 


Title: (U//Z680) To memorialize the review of case evidence by the 
Filter Team 


Date: 04/11/16 
To: Washington Field 
From: Washington Field 
CI-12 a 
b7c 
Case ID #: state) [~ CO#R FILTER -4 


{U) TSA Ate) MIDYEAR EXAM; 
MISHANDLING OF CLASSIFIED; 
UNKNOWN SUBJECT OR COUNTRY; 
SENSITIVE INVESTIGATIVE MATTER (SIM) 


Synopsis: (U//Pe8%e) To memorialize the review of case evidence by 
the Filter Team as of April 6, .2016. 


ied By: F53M23K80 
Derived From: dated 20130301 
Dec. i On: 20411231 


Details: (U//FO88) On or about September 30, 2015 through April 6, 


2016, the designated Filter Team conducted a filter review of case 
evidence as directed by the Investigative Team. This evidence 
consisted entirely of digital media, which was processed by the 
Federal Bureau of Investigation (FBI) Operation: 

ivisi i jlter Team 

The Filter Team conducted 

eir review per i¢ Memorandums provided by the Department of 
Justice (DOJ) and with guidance from the FBI National Security Law 
Branch (NSLB). The Filter Team passed the files deemed to be not 
privileged to the Investigative Team via OTD. 


b7E 


(U//FOUO) The evidence items that the Filter Team reviewed include 
the following: 
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BECRET//HOFORN 
FEDERAL BUREAU OF INVESTIGATION 


1) 1B1l - (U) 1 Lexar micron 16 GB Black & Silver Thumbdrive - 
LJDTT166-000-1001 DA (Original), 1Lexar Micron 8 GB Green and 
White LUDTT8GB-000-117AU(Copy 1), 1 Kingston 8GB Silver DT SE9 
(Copy 2) 

2) 1B2 - (U) Lenovo Think Pad T420 PB-YC912 12/03 

3) 1B3 - (U), Dell Poweredge 2900, Gray Color, S/N G842PC1 

4)°1B32 = (X) USB Thumbdrive 

PT} 5) B40--~ (<) 1 Apple Mac Book Air Laptop S/N .COZLFOICFM74 

6)... 1B43.--(&) Seagate Desktop External Hard Drive 1000 GB, S/N 

2GHJ026M/Power Supply/USB Cable 


(7) -ap44-- (Sf Datto Server Supermicro 2V Server, Model 52000, S/N 


002590AFDEBE, Invoice 482547 


{0} 8) 1B46-- Q NAP Network Attached Storage (NAS) Device Model 


TS-1079 Pro, Serial #Q-11AI10175, 21.76 TB Total Capacity 
containing ITB Data Loaded from PRN Servers & Equipment 


(0) 9) -1B47---(4) Apple Mac Pro S/N W893361H6644, Power Cord 
(0) 10)..1B48.- ) Server 882 Dattobackup.com barcode 
‘ C8470FC11M70024, Pin #CSE847 
11) 1B56 - (U) One (1) Western Digital My Passport Ultra External 
Hard Drive with Serial Number WXG1AA3M2130 
{U) 12) 1B64---$s{ 1 - 16GB SanDisk USB Drive 


13) 1B71 - (U) One (1) iPad with Serial Number[___],_ IMEI 
012224007843867 


(U//PE88) Of the aforementioned items, items 1B3 and 1B43, contained 
over 200,000 unallocated files or file fragments available for Filter 
review. The review of the unallocated files was initially conducted 
in accordance with the Filter Team Instructions provided by DOJ on 
October 8, 2015, but the review quickly became unmanageable under 
those instructions. On or about December 8, 2015, the Investigative 
Te ided the Filter Team with a list of search terms to be used 
iat aco assist with narrowing the files that needed Filter 
review. The Investigative Team agreed that the Filter Team did not 
have to review any files that did not include a “hit” on a search 
term. 


(U//Fe¥e) The Investigative Key Word Search Terms provided to the 
Filter Team on or about December 8, 2015 were as follows: 
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b7E 
(U//FO¥O) The Filter Team proceeded to use the Investigative Key Word 
Search Terms to conduct their review of the unallocated files, but 
the review still remained unmanageable. In addition, due tol] b7E 


system limitations, the Filter Team encountered additional 
difficulty in opening and managing the larger-sized files (upwards 
of 500 MB). 


(U//PE8E) DOJ provided an addendum set of instructions specific to 
the Filter review of unallocated files on or about January 22, 2016. 
Using the addendum instructions in conjunction with a revised set 
of Investigative Search Terms provided on or about February 1, 2016, 
and with OTD splitting the larger files into smaller files (200K or 
less), the Filter Team was able to complete their review. 
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FEDERAL BUREAU OF INVESTIGATION 
(U//Pe8e) The Investigative Key Word Search Terms provided to the 
Filter Team on or about February 1, 2016 were as follows: 
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(U//FO@88) Based on the augmented instructions, the Filter Team 
completed their filter and quality control reviews of the unallocated 
files on or about April 7, 2016. Fromon or about September 30, 2015 
through April 6, 2016, the Filter Team adjudicated over 45,000 files 
(files that had Filter Term hits) and passed over 750,000 files (that 
did not have Filter Term hits). 


oe 


SE RN 


HRC-9153 


